Implement fuzztesting.

.github/workflows/run-ci-cd.yaml

@@ -233,8 +233,40 @@ jobs:
       - name: Set up Docker buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
-      - name: Setup E2E environment
-        uses: ./.github/workflows/setup-e2e-environment
+      - name: Setup Backend environment
+        uses: ./.github/workflows/setup-backend-environment
+        with:
+          db_username: nest_user_e2e
+          db_name: nest_db_e2e
+
+      - name: Start Backend in the background
+        run: |
+          docker run -d --rm --name e2e-nest-backend \
+            --env-file backend/.env.e2e.example \
+            --network host \
+            -e DJANGO_DB_HOST=localhost \
+            -p 9000:9000 \
+            owasp/nest:test-backend-latest \
+            sh -c '
+              python manage.py migrate &&
+              gunicorn wsgi:application --bind 0.0.0.0:9000
+          '
+
+      - name: Waiting for the backend to be ready
+        run: |
+          timeout 5m bash -c '
+            until wget --spider http://localhost:9000/a; do
+              echo "Waiting for backend..."
+              sleep 5
+            done
+          '
+          echo "Backend is up!"
+
+      - name: Load Postgres data
+        env:
+          PGPASSWORD: nest_user_e2e_password
+        run: |
+          pg_restore -h localhost -U nest_user_e2e -d nest_db_e2e < backend/data/nest.dump
 
       - name: Build frontend end-to-end testing image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
@@ -267,6 +299,99 @@ jobs:
             echo "release_version=$(date '+%y.%-m.%-d')-${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
           fi
 
+  run-fuzz-tests:
+    name: Run fuzz tests
+    needs:
+      - scan-code
+      - scan-ci-dependencies
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    services:
+      db:
+        image: pgvector/pgvector:pg16
+        env:
+          POSTGRES_DB: nest_db_fuzz
+          POSTGRES_PASSWORD: nest_user_fuzz_password
+          POSTGRES_USER: nest_user_fuzz
+        options: >-
+          --health-cmd="pg_isready -U nest_user_fuzz -d nest_db_fuzz -h localhost -p 5432"
+          --health-interval=5s
+          --health-timeout=5s
+          --health-retries=5
+        ports:
+          - 5432:5432
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+
+      - name: Setup Backend environment
+        uses: ./.github/workflows/setup-backend-environment
+        with:
+          db_username: nest_user_fuzz
+          db_name: nest_db_fuzz
+
+      - name: Run backend with fuzz environment variables
+        run: |
+          docker run -d --rm --name fuzz-nest-backend \
+            --env-file backend/.env.fuzz.example \
+            --network host \
+            -e DJANGO_DB_HOST=localhost \
+            -p 9500:9500 \
+            owasp/nest:test-backend-latest \
+            sh -c '
+              python manage.py migrate &&
+              gunicorn wsgi:application --bind 0.0.0.0:9500
+            '
+
+      - name: Waiting for the backend to be ready
+        run: |
+          timeout 5m bash -c '
+            until wget --spider http://localhost:9500/a; do
+              echo "Waiting for backend..."
+              sleep 5
+            done
+          '
+          echo "Backend is up!"
+
+      - name: Load Postgres data
+        env:
+          PGPASSWORD: nest_user_fuzz_password
+        run: |
+          pg_restore -h localhost -U nest_user_fuzz -d nest_db_fuzz < backend/data/nest.dump
+
+      - name: Build Fuzz-testing image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          cache-from: |
+            type=gha
+            type=registry,ref=owasp/nest:test-fuzz-backend-cache
+          cache-to: |
+            type=gha,compression=zstd
+          context: backend/docker
+          file: backend/docker/Dockerfile.fuzz
+          load: true
+          platforms: linux/amd64
+          tags: owasp/nest:test-fuzz-backend-latest
+
+      - name: Run backend fuzz tests
+        run: |
+          mkdir -p ${{ github.workspace }}/fuzzing_results &&
+          chmod -R 777 ${{ github.workspace }}/fuzzing_results &&
+          docker run -e BASE_URL=http://localhost:9500 --network host \
+          -v ${{ github.workspace }}/fuzzing_results:/home/owasp/fuzzing_results \
+          owasp/nest:test-fuzz-backend-latest
+
+      - name: Upload fuzzing results
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
+        if: always()
+        with:
+          name: fuzzing-results
+          path: fuzzing_results/
+          retention-days: 30
+
   build-staging-images:
     name: Build Staging Images
     env:

.github/workflows/setup-backend-environment/action.yaml

@@ -0,0 +1,44 @@
+name: Set up Backend environment
+
+description: Sets up the Backend environment testing.
+
+inputs:
+  db_username:
+    description: 'Database username'
+    required: true
+  db_name:
+    description: 'Database name'
+    required: true
+
+runs:
+    using: composite
+    steps:
+      - name: Wait for database to be ready
+        env:
+          DB_USERNAME: ${{ inputs.db_username }}
+          DB_NAME: ${{ inputs.db_name }}
+        run: |
+          timeout 5m bash -c '
+            until docker exec ${{ job.services.db.id }} pg_isready -U $DB_USERNAME -d $DB_NAME; do
+              echo "Waiting for database..."
+              sleep 5
+            done
+          '
+        shell: bash
+
+      - name: Install PostgreSQL client
+        run: sudo apt-get install -y postgresql-client
+        shell: bash
+
+      - name: Build backend image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          cache-from: |
+            type=gha
+          cache-to: |
+            type=gha,compression=zstd
+          context: backend
+          file: backend/docker/Dockerfile
+          load: true
+          platforms: linux/amd64
+          tags: owasp/nest:test-backend-latest

.github/workflows/update-nest-test-images.yaml

@@ -72,3 +72,16 @@ jobs:
           platforms: linux/amd64
           push: true
           tags: owasp/nest:test-frontend-e2e-latest
+
+      - name: Build and push fuzz-test-backend image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          cache-from: type=registry,ref=owasp/nest:test-fuzz-backend-cache
+          cache-to: |
+            type=gha,compression=zstd
+            type=registry,ref=owasp/nest:test-fuzz-backend-cache
+          context: backend/docker
+          file: Dockerfile.fuzz
+          platforms: linux/amd64
+          push: true
+          tags: owasp/nest:test-fuzz-backend-latest

.gitignore

@@ -4,10 +4,12 @@ __pycache__
 .cache
 .coverage
 .cursor/rules/snyk_rules.mdc
+backend/fuzzing_results/
 .DS_Store
 .env*
 !.env.example
 !.env.e2e.example
+!.env.fuzz.example
 .github/instructions/snyk_rules.instructions.md
 .idea
 .lighthouseci/
@@ -44,3 +46,6 @@ logs
 node_modules/
 TODO
 venv/
+
+# Snyk Security Extension - AI Rules (auto-generated)
+.cursor/rules/snyk_rules.mdc

CONTRIBUTING.md

@@ -417,31 +417,59 @@ make test
 This command runs tests and checks that coverage threshold requirements are satisfied for both backend and frontend.
 **Please note your PR won't be merged if it fails the code tests checks.**
 
-### Setting Up e2e Testing Environment
+### Running e2e Tests
 
-Follow these steps to setup your e2e testing environment:
+Run the frontend e2e tests with the following command:
 
-1. Make sure you have `gzip` installed on your machine.
+```bash
+make test-frontend-e2e
+```
 
-2. Run the e2e backend instance with the following command:
+This command automatically:
 
-   ```bash
-   make run-backend-e2e
-   ```
+- Starts the database and backend containers
+- Runs migrations and loads test data
+- Executes the e2e tests
+- Cleans up containers when done
 
-3. Load the data into the e2e db with the following command (in another terminal session):
+For debugging, you can run the e2e backend separately:
 
-   ```bash
-   make load-data-e2e
-   ```
+```bash
+make run-backend-e2e
+```
 
-4. Now, you can stop the backend instance, and run the frontend e2e tests with the following command:
+Then load data manually in another terminal:
 
-   ```bash
-   make test-frontend-e2e
-   ```
+```bash
+make load-data-e2e
+```
+
+### Running Fuzz Tests
 
-**Please note that you only need to do these steps once.**
+Run the fuzz tests with the following command:
+
+```bash
+make test-fuzz
+```
+
+This command automatically:
+
+- Starts the database and backend containers
+- Runs migrations and loads test data
+- Executes the fuzz tests
+- Cleans up containers when done
+
+For debugging, you can run the fuzz backend separately:
+
+```bash
+make run-backend-fuzz
+```
+
+Then load data manually in another terminal:
+
+```bash
+make load-data-fuzz
+```
 
 ### Test Coverage
 

backend/.env.fuzz.example

@@ -0,0 +1,23 @@
+DJANGO_ALGOLIA_APPLICATION_ID=None
+DJANGO_ALGOLIA_EXCLUDED_LOCAL_INDEX_NAMES=None
+DJANGO_ALGOLIA_WRITE_API_KEY=None
+DJANGO_ALLOWED_HOSTS=*
+DJANGO_AWS_ACCESS_KEY_ID=None
+DJANGO_AWS_SECRET_ACCESS_KEY=None
+DJANGO_SETTINGS_MODULE=settings.fuzz
+DJANGO_CONFIGURATION=Fuzz
+DJANGO_DB_HOST=db
+DJANGO_DB_NAME=nest_db_fuzz
+DJANGO_DB_USER=nest_user_fuzz
+DJANGO_DB_PASSWORD=nest_user_fuzz_password
+DJANGO_DB_PORT=5432
+DJANGO_OPEN_AI_SECRET_KEY=None
+DJANGO_PUBLIC_IP_ADDRESS="127.0.0.1"
+DJANGO_REDIS_HOST=None
+DJANGO_REDIS_PASSWORD=None
+DJANGO_RELEASE_VERSION=None
+DJANGO_SECRET_KEY=None
+DJANGO_SENTRY_DSN=None
+DJANGO_SLACK_BOT_TOKEN=None
+DJANGO_SLACK_SIGNING_SECRET=None
+GITHUB_TOKEN=None