[Hackathon] Implement Fuzz Testing for Internal Functions & API Endpoints

[rsdmike]

🔹 Overview

Fuzz testing is a powerful method for uncovering unexpected errors, security vulnerabilities, and edge cases by supplying randomized inputs.

For this task, we will explore two types of fuzzing in console, each should be their own PR:

1. Go's built-in fuzzing (testing.F) to test internal functions for unexpected panics or incorrect behaviors. https://go.dev/doc/security/fuzz/
2. RESTler API fuzzing to test configuration-related API endpoints for robustness. https://github.com/microsoft/restler-fuzzer

🚨 Scope Exclusion

We are excluding fuzzing for device-related API calls and instead focusing on configuration endpoints, ensuring that invalid sequences of operations do not cause unintended issues.

🎯 Task Scope

1️⃣ Go Fuzzing (Internal Functions)

• Identify and select key internal functions that process user input or handle data transformations.
• Implement Go fuzz tests (testing.F) to test these functions with randomized inputs.
• Ensure fuzzing runs successfully (go test -fuzz).

2️⃣ RESTler API Fuzzing (Configuration Endpoints)

• Set up RESTler for API fuzzing.
• Target the following configuration endpoints:
  • POST /ciraconfigs
  • POST /domains
  • POST /wificonfigs
  • POST /ieee8021xconfigs
  • POST /profiles
• Ensure that API fuzzing respects order of operations:
  • Example: A profile that is ACM, CIRA, and Wireless cannot be created until:
    1. A CIRA config exists.
    2. A Wireless config exists.
    3. The domain is registered.
• Validate that RESTler does not generate invalid request sequences that violate these dependencies.

3️⃣ GitHub Actions Integration

• Set up a GitHub Actions workflow to run fuzz testing automatically.
• Ensure that results/logs are captured and reviewed for anomalies.

📂 Relevant Files

• internal/... (Go functions to be fuzzed)
• cmd/main.go (may need modification for testability)
• .github/workflows/fuzzing.yml (to be created for CI)
• docs/fuzzing.md (to document fuzzing setup and usage)

💻 Technical Details

• Go Fuzzing:

  • Use testing.F for internal function fuzzing.
  • Target functions that parse, validate, or process input.
  • Ensure testability by refactoring if needed.

• RESTler API Fuzzing:

  • Define valid request dependencies to ensure valid API interactions.
  • Configure RESTler dictionary & grammar to avoid impossible scenarios.
  • Use long-running fuzz tests (e.g., 10,000+ requests) to detect issues.

• GitHub Actions Integration:

  • Configure fuzz tests to run periodically (e.g., daily).
  • Ensure logs & crash reports are captured.

✅ Acceptance Criteria

• At least one Go fuzz test is implemented and runs successfully.
• RESTler is configured and able to fuzz configuration endpoints.
• API fuzzing respects dependency order and does not generate invalid requests.
• A GitHub Actions workflow runs fuzz tests.
• Findings and recommendations for future fuzzing improvements are documented.
• A Pull Request (PR) is submitted summarizing the work.

🚀 How to Get Started

1. Comment below to claim this issue.
2. Fork the repo and create a branch (e.g., feature/fuzz-testing). Recommend a different branch for RESTler vs Go Fuzzing Tools
3. Implement Go fuzzing for internal functions.
4. Set up RESTler for API fuzzing.
5. Integrate fuzz tests into GitHub Actions.
6. Submit a Pull Request (PR) linking this issue.

📎 Additional Notes

• This task is exploratory—documenting findings and roadblocks is valuable.
• If fuzz testing exposes a bug, consider opening a separate issue to track it.
• If API fuzzing proves complex, provide recommendations for improving test automation.
• Since this task is related to: [Hackathon] Explore and Implement Fuzz Testing for CLI Input in rpc-go rpc-go#763 , recommended to sync up/pair program and at the very least have commonality between implementation for structure and running tools as it pertains to Go Fuzz.

[rabipaikaray]

@divneil-intel request you to review this Fuzzing requirement.