Fix Fuzzer Crash in ClusterFuzz Due to Missing Git Executable by DaveLak · Pull Request #1906 · gitpython-developers/GitPython
A Git executable is not globally available in the ClusterFuzz container environment where OSS-Fuzz executes fuzz tests, causing an error in the fuzz harnesses when GitPython attempts to initialize, crashing the tests before they can run. To avoid this issue, we bundle the `git` binary that is available in the OSS-Fuzz build container with the fuzz harness via Pyinstaller's `--add-binary` flag in `build.sh` and use GitPython's `git.refresh(<full-path-to-git-executable>)` method inside a Pyinstaller runtime check to initialize GitPython with the bundled Git executable when running from the bundled application. In all other execution environments, we assume a `git` executable is available globally. Fixes: - gitpython-developers#1905 - google/oss-fuzz#10600
mentioned this pull request
1 task
DaveLak added a commit to DaveLak/GitPython that referenced this pull request
Apr 26, 2024
This is a second attempt at gitpython-developers#1906 and should resolve: - gitpython-developers#1905 - google/oss-fuzz#10600 PR gitpython-developers#1906 had the right idea but wrong implementation, and the differences between the ClusterFuzz image that it was supposed to fix and the OSS-Fuzz image where the fix was tested led to the issue not being fully resolved. The root cause of the issue is the same: A Git executable is not globally available in the ClusterFuzz container environment where OSS-Fuzz executes fuzz tests. gitpython-developers#1906 attempted to fix the issue by bundling the Git binary and using GitPython's `git.refresh(<full-path-to-git-executable>)` method to set it inside the `TestOneInput` function of the test harness. However, GitPython attempts to set the binary at import time via its `__init__` hook, and crashes the test if no executable is found during the import. This issue is fixed here by setting the environment variable that GitPython looks in before importing it, so it's available for the import. This was tested by setting the `$PATH` to an empty string inside the test files, which reproduced the crash, then adding the changes introduced here with `$PATH` still empty, which avoided the crash indicating that the bundled Git executable is working as expected.
DaveLak
deleted the
fuzzing-fix-missing-git-in-clusterfuzz
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters