Add best-practices-badge to OSS-Fuzz#15467
Open
david-a-wheeler wants to merge 1 commit into
Open
Conversation
The [OpenSSF Best Practices Badge](https://www.bestpractices.dev/) is the Linux Foundation / OpenSSF's official security-badging system for free and open source software. Over **10,000 open source software projects** have registered, including critical infrastructure such as the Linux kernel, curl, OpenSSL, Node.js, and Kubernetes. It provides security criteria to help these projects determine valuable next steps, as well as showing the world how well they're doing. Like all web applications, the application is under continuous attack. It is publicly accessible, widely known, and serves as security infrastructure for the broader open source ecosystem. A vulnerability in the badge application could: - Yield **remote code execution** on infrastructure that thousands of projects depend on to demonstrate their security posture - Allow corruption or forgery of badge status of arbitrary projects, undermining trust in the badging system globally - Expose private data (in particular encrypted maintainer emails) The most dangerous attack surfaces are the input-processing pipelines that handle untrusted data from project maintainers worldwide: URL fields and free-text markdown justification fields. The application is a Ruby on Rails web app. Two [Ruzzy](https://github.com/trailofbits/ruzzy)-based harnesses target the security-critical input paths. We intend to eventually do more, but we wanted to start with specific improvements. Loads the real `UrlValidator` class (`app/validators/url_validator.rb`) via ActiveModel. Exercises: - The custom `URL_REGEX` pattern for ReDoS via catastrophic backtracking - The percent-decode → `force_encoding('UTF-8')` pipeline for encoding attacks Targets `MarkdownProcessor.render` (`app/lib/markdown_processor.rb` + `app/lib/invoke_commonmarker.rb`). Exercises all three code paths: - `PREFIXED_URL_REGEX` fast path: ReDoS risk in a complex possessive-quantifier regex - `MARKDOWN_UNNECESSARY` fast path: ReDoS risk in a large multi-guard regex - CommonMarker (Rust/comrak) HTML generation + URL-protocol sanitization (`javascript:`, `data:`, and other dangerous schemes stripped to prevent XSS) - **Language:** Ruby - **Fuzzing library:** [Ruzzy](https://github.com/trailofbits/ruzzy) (Trail of Bits), which wraps libFuzzer - **Engine:** libFuzzer only. Ruzzy does not support AFL, honggfuzz, or centipede - **Sanitizers:** AddressSanitizer and UndefinedBehaviorSanitizer; MemorySanitizer is excluded because it requires every dependency to be fully instrumented, which is not feasible for Ruby's native C/Rust extensions - **Dependencies:** `activemodel` (for `UrlValidator`) and `commonmarker` (Rust-backed CommonMark parser); commonmarker ships a pre-built `x86_64-linux` native gem so no Rust toolchain is needed in the image - **Harnesses:** maintained in the project repository at `script/fuzz_*.rb`; `build.sh` clones the repo and references them directly so they stay in sync - Production site: <https://www.bestpractices.dev/> - Source repository: <https://github.com/coreinfrastructure/best-practices-badge> - Security policy: <https://github.com/coreinfrastructure/best-practices-badge/blob/main/SECURITY.md> - Vulnerability reports: <https://github.com/coreinfrastructure/best-practices-badge/security/advisories/new> In the longer term we expect to move the GitHub location to the OpenSSF GitHub organization (ossf), but it's not clear when that will occur (it won't be soon). Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com> Signed-off-by: David A. Wheeler <ddwheeler@linuxfoundation.org>
|
david-a-wheeler is integrating a new project: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The OpenSSF Best Practices Badge is the Linux Foundation / OpenSSF's official security-badging system for free and open source software. Over 10,000 open source software projects have registered,
including critical infrastructure such as the Linux kernel, curl, OpenSSL, Node.js, and Kubernetes. It provides security criteria to help these projects determine valuable next steps, as well as showing the world how well they're doing.
Like all web applications, the application is under continuous attack. It is publicly accessible, widely known, and serves as security infrastructure for the broader open source ecosystem.
A vulnerability in the badge application could:
The most dangerous attack surfaces are the input-processing pipelines that handle untrusted data from project maintainers worldwide: URL fields and free-text markdown justification fields.
The application is a Ruby on Rails web app.
Two Ruzzy-based harnesses target the security-critical input paths.
We intend to eventually do more, but we wanted to start with specific improvements.
Loads the real
UrlValidatorclass (app/validators/url_validator.rb) via ActiveModel. Exercises:URL_REGEXpattern for ReDoS via catastrophic backtrackingforce_encoding('UTF-8')pipeline for encoding attacksTargets
MarkdownProcessor.render(app/lib/markdown_processor.rb+app/lib/invoke_commonmarker.rb). Exercises all three code paths:PREFIXED_URL_REGEXfast path: ReDoS risk in a complex possessive-quantifier regexMARKDOWN_UNNECESSARYfast path: ReDoS risk in a large multi-guard regexCommonMarker (Rust/comrak) HTML generation + URL-protocol sanitization (
javascript:,data:, and other dangerous schemes stripped to prevent XSS)Language: Ruby
Fuzzing library: Ruzzy (Trail of Bits), which wraps libFuzzer
Engine: libFuzzer only. Ruzzy does not support AFL, honggfuzz, or centipede
Sanitizers: AddressSanitizer and UndefinedBehaviorSanitizer; MemorySanitizer is excluded because it requires every dependency to be fully instrumented, which is not feasible for Ruby's native C/Rust extensions
Dependencies:
activemodel(forUrlValidator) andcommonmarker(Rust-backed CommonMark parser); commonmarker ships a pre-builtx86_64-linuxnative gem so no Rust toolchain is needed in the imageHarnesses: maintained in the project repository at
script/fuzz_*.rb;build.shclones the repo and references them directly so they stay in syncProduction site: https://www.bestpractices.dev/
Source repository: https://github.com/coreinfrastructure/best-practices-badge
Security policy: https://github.com/coreinfrastructure/best-practices-badge/blob/main/SECURITY.md
Vulnerability reports: https://github.com/coreinfrastructure/best-practices-badge/security/advisories/new
In the longer term we expect to move the GitHub location to the OpenSSF GitHub organization (ossf), but it's not clear when that will occur (it won't be soon).