Add local fuzz testing setup #18
Description
Add local fuzz testing setup for httpmorph before considering OSS-Fuzz integration
I want to introduce a lightweight fuzzing setup for httpmorph to catch edge-case bugs and improve the library’s robustness before moving toward a full OSS-Fuzz integration.
🎯 Goal
Start with a local fuzzing workflow that can run on my machine or CI (e.g., GitHub Actions) without relying on Google’s OSS-Fuzz infrastructure. Once the harnesses are mature and cover key components, I’ll consider submitting httpmorph to OSS-Fuzz for continuous large-scale testing.
🧩 Plan
-
Add basic fuzz harnesses using [Atheris](https://github.com/google/atheris) (Python coverage-guided fuzzer) targeting core functions such as:
- URL parsing and normalization
- Header parsing and request construction
- Response parsing (status line, headers, chunked bodies)
-
Run fuzzing locally with:
python3 -m pip install atheris python3 fuzz_parse_request.py
-
Integrate with CI to run short fuzz sessions on pull requests — for example, using GitHub Actions with a time limit (e.g., 60 s per harness).
-
Collect crash inputs and create reproducible test cases to fix discovered issues early.
🧠 Benefits
- Detect unexpected exceptions, parsing errors, or logic bugs before they reach users.
- Build a stable foundation for later OSS-Fuzz adoption.
- Keep the process fast and developer-friendly (no complex infrastructure needed yet).
Once I’m confident in the fuzz harness coverage and results, I’ll open a follow-up issue about integrating httpmorph into OSS-Fuzz for continuous large-scale fuzzing.
— Arman ([@arman-bd](https://github.com/arman-bd))