[django-fuzzers] Initial integration. (#2579)

* [django-fuzzers]

* [django] Update auto_ccs

* [django] Pack seed corpus. util -> utils.

projects/django/Dockerfile

@@ -0,0 +1,23 @@
+# Copyright 2019 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM gcr.io/oss-fuzz-base/base-builder
+MAINTAINER guidovranken@gmail.com
+RUN apt-get install -y build-essential libncursesw5-dev libreadline-dev libssl-dev libgdbm-dev libc6-dev libsqlite3-dev tk-dev libbz2-dev zlib1g-dev libffi-dev wget
+RUN wget https://github.com/python/cpython/archive/v3.8.0b2.tar.gz
+RUN git clone --depth 1 https://github.com/guidovranken/django-fuzzers.git
+RUN git clone --depth 1 https://github.com/django/django.git
+COPY build.sh $SRC/

projects/django/build.sh

@@ -0,0 +1,72 @@
+#!/bin/bash -eu
+# Copyright 2019 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+# Ignore memory leaks from python scripts invoked in the build
+export ASAN_OPTIONS="detect_leaks=0"
+export MSAN_OPTIONS="halt_on_error=0:exitcode=0:report_umrs=0"
+
+# Remove -pthread from CFLAGS, this trips up ./configure
+# which thinks pthreads are available without any CLI flags
+CFLAGS=${CFLAGS//"-pthread"/}
+
+FLAGS=()
+case $SANITIZER in
+  address)
+    FLAGS+=("--with-address-sanitizer")
+    ;;
+  memory)
+    FLAGS+=("--with-memory-sanitizer")
+    # installing ensurepip takes a while with MSAN instrumentation, so
+    # we disable it here
+    FLAGS+=("--without-ensurepip")
+    # -msan-keep-going is needed to allow MSAN's halt_on_error to function
+    FLAGS+=("CFLAGS=-mllvm -msan-keep-going=1")
+    ;;
+  undefined)
+    FLAGS+=("--with-undefined-behavior-sanitizer")
+    ;;
+esac
+
+export CPYTHON_INSTALL_PATH=$OUT/cpython-install
+rm -rf $CPYTHON_INSTALL_PATH
+mkdir $CPYTHON_INSTALL_PATH
+
+tar zxf v3.8.0b2.tar.gz
+cd cpython-3.8.0b2/
+cp $SRC/django-fuzzers/python_coverage.h Python/
+
+# Patch the interpreter to record code coverage
+sed -i '1 s/^.*$/#include "python_coverage.h"/g' Python/ceval.c
+sed -i 's/case TARGET\(.*\): {/\0\nfuzzer_record_code_coverage(f->f_code, f->f_lasti);/g' Python/ceval.c
+
+./configure "${FLAGS[@]}" --prefix=$CPYTHON_INSTALL_PATH
+make -j$(nproc)
+make install
+
+rm -rf $OUT/django-dependencies
+mkdir $OUT/django-dependencies
+$CPYTHON_INSTALL_PATH/bin/pip3 install asgiref pytz sqlparse -t $OUT/django-dependencies
+
+cd $SRC/django-fuzzers
+rm $CPYTHON_INSTALL_PATH/lib/python3.8/lib-dynload/_tkinter*.so
+make
+
+cp -R $SRC/django/* $OUT/
+
+cp $SRC/django-fuzzers/fuzzer-utils $OUT/
+cp $SRC/django-fuzzers/utils.py $OUT/
+zip -j $OUT/fuzzer-utils_seed_corpus.zip $SRC/django-fuzzers/corp-utils/*

projects/django/project.yaml

@@ -0,0 +1,8 @@
+homepage: "https://www.djangoproject.com/"
+primary_contact: "guidovranken@gmail.com"
+auto_ccs:
+ - "f.apolloner+django@gmail.com"
+ - "info+django+security@markusholtermann.eu"
+sanitizers:
+ - address
+ - undefined