Open
Conversation
Adds continuous fuzzing for https://github.com/puma/puma — the default Ruby on Rails web server (547M+ downloads) — targeting its HTTP/1.1 request parser, which has a history of critical CVEs: CVE-2022-24790 (CRITICAL) — request smuggling, RFC7230 mismatch CVE-2023-40175 (CRITICAL) — request smuggling via chunked encoding CVE-2021-41136 — request smuggling via LF in header values CVE-2020-5247 — response splitting via CR/LF injection Fuzz target: - fuzz_http_parser: exercises http11_parser.c (Ragel-generated, 1057 LOC) via Puma::HttpParser#execute with two variants — standard parse and incremental (two-pass) parse. Build notes: - PUMA_DISABLE_SSL=1 skips mini_ssl.c (OpenSSL wrapper); parser only - sed removes nio4r runtime dep from gemspec (not needed for HttpParser) - Ragel-generated http11_parser.c is committed; no Ragel required at build Seed corpus: 8 HTTP/1.1 requests covering GET, POST, chunked encoding, partial reads, and zero Content-Length (CVE-2023-40175 class). Dictionary: HTTP methods, header names, CRLF sequences.
|
tranquac is integrating a new project: |
nateberkopec
suggested changes
Apr 13, 2026
Co-authored-by: Nate Berkopec <nate.berkopec@gmail.com>
Co-authored-by: Nate Berkopec <nate.berkopec@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
New Project: puma
Adds continuous fuzzing for https://github.com/puma/puma — the default Ruby on Rails web server with 547M+ downloads — targeting its HTTP/1.1 request parser.
Motivation
Puma's HTTP parser has a documented history of critical security CVEs:
Continuous fuzzing would catch future regressions in this parser before they become security advisories.
Fuzz target
fuzz_http_parserext/puma_http11/http11_parser.c(Ragel-generated, 1057 LOC)Puma::HttpParser#executeBuild notes
PUMA_DISABLE_SSL=1skipsmini_ssl.c(OpenSSL TLS wrapper) — the fuzzer targets only the HTTP parsersed -i '/nio4r/d' puma.gemspecremoves the nio4r runtime dependency, which is not needed forPuma::HttpParserand would otherwise causeMissingSpecErrorat load timehttp11_parser.cis already committed (Ragel-generated); no Ragel required at build timeBuild verification
build_image✓build_fuzzers --sanitizer address✓check_build --sanitizer address✓Seed corpus
8 HTTP/1.1 request fixtures: GET, POST with Content-Length, chunked encoding, OPTIONS, HEAD, partial request, and zero Content-Length + Transfer-Encoding (CVE-2023-40175 class).
Project maintainer: @nateberkopec (Nate Berkopec,
nate.berkopec@gmail.com)