Support integration with luzer

[ligurio]

The patch enables using luzer for fuzzing Lua projects in OSS-Fuzz.

Usage:

sudo python infra/helper.py build_fuzzers lua-example
sudo python infra/helper.py check_build lua-example fuzz_basic
sudo python infra/helper.py run_fuzzer lua-example fuzz_basic

Closes #13782
Depends on ligurio/luzer#74

[github-actions]

ligurio is integrating a new project:
- Main repo: https://github.com/ligurio/luzer
- Criticality score: 0.23250

[ligurio]

@jonathanmetzman could you please review?

[jonathanmetzman]

I can take a look at this but to be honest we're concerned about the maintenance burden supporting Lua will impose and somewhat doubtful of the impact. Could you maybe help us with the latter? Is the electrical grid, or something else very important running on Lua?

[ligurio]

I can take a look at this but to be honest we're concerned about the maintenance burden supporting Lua will impose and somewhat doubtful of the impact.

Yeah, I remember this concern and took it into account when developing the patch. Hence, I avoid introducing the support for yet another language toolchain. Instead, my patch adds a wrapper generator for Lua tests and modifies the code to run these wrappers. The runtime itself will be compiled by the project. The patch with implementation is about 70 LOC, other changes is an example and documentation. I also want to say that I want to make this contribution on my own behalf, not on behalf of any company, so I'll be here; I won't run away immediately after the merge :)

Could you maybe help us with the latter?

There are two main scenarios for using Lua:

• First one is projects, where Lua is used as a standalone programming language. In this scenario, of course, you'd also want to test applications using fuzzing, but I agree with you, the impact is doubtful. Moreover, there are not so much projects written in Lua (but they exist: Kong API Gateway ¹, Prosody IM ², etc.).
• The second one scenario is projects, where Lua is embedded into C/C++ applications with C extensions, and I'm most concerned about this one, because there's a high risk of presence of the issues specific for C/C++. Testing Lua's API with LibFuzzer/AFL isn't very practical, so I suggest integrating a specialized fuzzing engine for Lua API. Like you did with Atheris, that supports fuzzing of native extensions written for CPython.

Is the electrical grid, or something else very important running on Lua?

Physicists at CERN use LuaJIT (the Just-In-Time compiler) for computing physics accelerator beams ³⁴.

Network infrastructure (applications and known Lua-related CVE's):

• Cloudflare uses Lua for programming LuaJIT-based WAF, latest outage was happen due to untested the second branch in a Lua condition ⁵⁶
• PowerDNS, CVE-2019-3806 ⁷⁸
• OpenResty (web platform based on NGINX and LuaJIT): CVE-2024-33452, CVE-2024-39702, CVE-2024-25178, CVE-2020-36309, CVE-2020-11724, CVE-2022-24834
• Redis: CVE-2025-49844 (RCE) ⁹, CVE-2025-46817 (RCE), CVE-2025-46818 (privilege escalation)
• HAProxy (HAProxy is used by a number of high-profile websites including GoDaddy, GitHub, Bitbucket, Stack Overflow, Reddit, Slack, Speedtest.net, Tumblr, Twitter and Tuenti and is used in the OpsWorks product from Amazon Web Services.)
• VoIP: FreeSWITCH and Asterisk ¹⁰
• Snort (IDS/IPS): CVE-2013-4863 / CVE-2016-6255, CVE-2024-20359, CVE-2023-20198
• Suricata (IDS/IPS): CVE-2025-64344 ¹¹
• Cisco (Cisco IOS SSL VPN ¹²): CVE-2025-41688
• NetBSD embedded Lua into the kernel (lua.4 ¹³, Scriptable Operating Systems with Lua ¹⁴)

Industrial cases:

• Volvo (Volvo cars like the V40 Cross Country embed Lua in their combined instrument panel)
• Fairino Robots ¹⁵, ¹⁶
• Automation using NodeMCU (This open-source hardware platform allows users to run Lua directly on the ESP8266 Wi-Fi chip.)
• Schneider Electric (SpaceLogic Room Controllers) ¹⁷, ¹⁸
• Samsung SmartThings ¹⁹

Footnotes

1. https://github.com/Kong/kong ↩

2. https://github.com/bjc/prosody/tree/master ↩

3. https://indico.cern.ch/event/487416/contributions/2174904/ ↩

4. https://videos.cern.ch/record/3016478 ↩

5. https://blog.cloudflare.com/5-december-2025-outage/ ↩

6. https://blog.cloudflare.com/tag/lua/ ↩

7. https://docs.powerdns.com/recursor/security-advisories/powerdns-advisory-2019-01.html ↩

8. https://doc.powerdns.com/recursor/lua-scripting/index.html ↩

9. https://redis.io/blog/security-advisory-cve-2025-49844/ ↩

10. https://developer.signalwire.com/freeswitch/FreeSWITCH-Explained/Databases/Lua-FreeSWITCH-Dbh_3965358/ ↩

11. https://github.com/OISF/suricata/security/advisories/GHSA-93fh-cgmc-w3rx ↩

12. https://www.cisco.com/c/en/us/support/docs/security/ios-ssl-vpn/224470-configure-lua-script-for-dap.html ↩

13. https://man.netbsd.org/lua.4 ↩

14. https://netbsd.org/~lneto/dls14.pdf ↩

15. https://www.fairino.be/tips/hands-on-with-lua-programming-fairino-cobots-made-simple ↩

16. https://fairino-doc-en.readthedocs.io/latest/LuaProgram/lua_intro.html ↩

17. https://www.se.com/uk/en/download/document/AN046/ ↩

18. https://www.se.com/ca/en/download/document/028-6163/ ↩

19. https://developer.smartthings.com/docs/devices/hub-connected/first-lua-driver ↩

[jonathanmetzman]

nit: Just do 2025

[ligurio]

Fixed:

--- a/projects/lua-example/build.sh
+++ b/projects/lua-example/build.sh
@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# Copyright 2023-2025 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

[jonathanmetzman]

Needs a license header

[ligurio]

Fixed:

--- a/projects/lua-example/example_basic.lua
+++ b/projects/lua-example/example_basic.lua
@@ -1,3 +1,19 @@
+-- Copyright 2023-2025 Google LLC
+
+-- Licensed under the Apache License, Version 2.0 (the "License");
+-- you may not use this file except in compliance with the
+-- License.
+-- You may obtain a copy of the License at
+
+--      http://www.apache.org/licenses/LICENSE-2.0
+
+-- Unless required by applicable law or agreed to in writing,
+-- software distributed under the License is distributed on an
+-- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+-- either express or implied.
+-- See the License for the specific language governing permissions
+-- and limitations under the License.
+
 local luzer = require("luzer")
 
 local function TestOneInput(buf)

[ligurio]

@jonathanmetzman The OSS Fuzz environment has some differences ¹ in comparison to usual Linux environment (for example, a name of sanitizers libraries and libclang_rt.fuzzer_no_main). What is a proper way to detect OSS Fuzz environment? There is no env like OSS_FUZZ among other env variables ².

Footnotes

1. https://github.com/ligurio/luzer/pull/74 ↩

2. https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/README.md#provided-environment-variables ↩

[jonathanmetzman]

Feel free to add one to base-images/base

[ligurio]

@jonathanmetzman this file will be used in every project for building wrappers for Lua tests. Where should we place it: in infra/base-images/base-builder/ (with other compile_*_fuzzer scripts), or in the project dirs (there will be some code duplication)?

[jonathanmetzman]

I'm going to double check that others internally don't think this is a bad idea before proceeding.

[jonathanmetzman]

Just 2025 for copyright.

[ligurio]

Fixed:

--- a/projects/lua-example/example_basic.lua
+++ b/projects/lua-example/example_basic.lua
@@ -1,12 +1,12 @@
--- Copyright 2023-2025 Google LLC
+-- Copyright 2025 Google LLC
 
 -- Licensed under the Apache License, Version 2.0 (the "License");
 -- you may not use this file except in compliance with the
 -- License.

[jonathanmetzman]

/gcbrun trial_build.py lua