fix(fuzz): strip uutils clap error chrome before banned-shape check#1627
Open
chaliy wants to merge 1 commit into
Open
fix(fuzz): strip uutils clap error chrome before banned-shape check#1627chaliy wants to merge 1 commit into
chaliy wants to merge 1 commit into
Conversation
Yesterday's `Fuzz Testing` job on main went red again. `glob_fuzz`
inputs that contain the substring `/rustc/` make uutils `ls` (via clap)
emit its four-line error template that quotes the input verbatim:
error: unexpected argument '--i{fi/rustc/fi{{RRi' found
tip: to pass '--i{fi/rustc/fi{{RRi' as a value, use '-- ...'
Usage: ls [OPTION]... [FILE]...
For more information, try '--help'.
The `error:` line itself echoes the user input, so the banned host-path
shape `/rustc/` shows up in stderr even though no internal Debug
formatter ran. The PR #1623 strip filter only recognized `bash: ...`
and `ls: cannot access '...'` lines and missed this clap chrome.
Extend `is_real_shell_error_line` with a conservative clap-chrome
matcher: lines that begin with `error: ` and contain one of clap's
fixed argument-error fragments, lines that begin with ` tip: to pass
'...' as a value, use '...'`, well-formed `Usage: ` lines, and the
`For more information, try '...'` footer. Each branch is anchored on
strings clap emits literally — they do not occur in real Debug leaks.
The strict `assert_no_leak` path (used by per-builtin tests) is
unchanged: production builtins must never produce shell echoes.
Adds 4 unit tests in `testing::tests` covering the new strip paths
and confirming that look-alike lines without the clap shape (`error:
parser failed: Tok::Ident`, `Usage: see Span { for details`) are still
preserved so real leaks coexisting with shell chrome would trip.
Updates threat-model TM-INF-022 prose to document the carve-out.
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | d033e3d | Commit Preview URL Branch Preview URL |
May 12 2026, 09:21 AM |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Yesterday's
Fuzz Testingjob onmainwent red again.glob_fuzzinputs that contain/rustc/make uutilsls(via clap) emit its four-line error template that quotes the input verbatim:The
error:line echoes the user input, so the banned host-path shape/rustc/shows up in stderr even though no internalDebugformatter ran. PR #1623's strip filter only recognizedbash: …andls: cannot access '…'lines and missed this clap chrome — same crash class, different formatter.Fix
Extend
is_real_shell_error_lineincrates/bashkit/src/testing.rswith a conservative clap-chrome matcher. Each branch is anchored on a string clap emits literally and that doesn't occur in realDebugleaks:error:lines containing one of clap's fixed fragments (unexpected argument ',invalid value ',the argument ',unrecognized subcommand ',the following required arguments…,a value is required for ',equal sign is needed…)tip: to pass '…' as a value, use '…'Usage: <prog> [OPTION]... [FILE].../--help/--versionFor more information, try '…'.footerKeeps the strict
assert_no_leakpath unchanged: production builtins must never produce shell echoes.MAX_STDERR_BYTESflood cap and theFUZZ_HOST_CANARYenv-leak (TM-INF-013) check still run on the unfiltered stderr.Threat-model TM-INF-022 prose updated to document the carve-out.
Test plan
testing::testscover both directions — strip the real failing block (/rustc/glued intoerror: unexpected argument+ tip + Usage + footer), strip a stand-aloneinvalid value '…'line, keeperror: parser failed: Tok::Ident(real internal leak that happens to start witherror:), keep aUsage: see Span { for detailslook-alike that lacks the clap shape.cargo test -p bashkit --lib testing::green (12 tests)cargo test -p bashkit --test proptest_security --all-featuresgreen (18 cases)cargo clippy -p bashkit --lib --tests -- -D warningscleancargo fmt --checkcleanFuzz Testingon this branch green (manual dispatch after CI)Generated by Claude Code