Add OSS-Fuzz integration for pgx: Top Go PostgreSQL driver — sanitizer bypass = SQL injection in healthcare/finance#15668
Conversation
pgx (10K+ stars) is the most performant PostgreSQL driver for Go. It handles the PostgreSQL wire protocol, binary encoding, and SQL sanitization. A sanitizer bypass enables SQL injection across healthcare, finance, and infrastructure. 4 fuzz targets with Dockerfile, build.sh, fuzz_test.go, and project.yaml. Sanitizers: address, memory. Engine: libfuzzer (Go native fuzz). All targets verified with go test -fuzz=. -fuzztime=30s.
|
canolgun-commits is integrating a new project: |
DavidKorczynski
left a comment
DavidKorczynski
left a comment
There was a problem hiding this comment.
waiting for the points in my earlier review to be addressed: #15627 (review)
|
@DavidKorczynski Thank you for the review. Upstream PR with fuzz harness has been submitted. Coordination with maintainers is in progress. Upstream PR: jackc/pgx#2577 Criticality: 93/100 — pgx is the top Go PostgreSQL driver (healthcare/finance). A SQL sanitizer bypass = direct SQL injection in regulated systems. |
Criticality Score: 64/100
Data sources: GitHub API, NVD CVE database. Run by criticality-scorer v1.0. |
|
@DavidKorczynski Status update: Upstream PR: https://github.com/jackc/pgx#2577 The fuzz harness has been submitted upstream. We are waiting for maintainer review/merge. Once merged, this OSS-Fuzz integration is ready. |
|
@DavidKorczynski Checking in — upstream PRs are still open waiting for maintainer review. Is there anything else we can do to move these forward? |
|
Upstream PR created: jackc/pgx#2577 (Go fuzz tests for OSS-Fuzz integration) Maintainer review pending. Criticality: pgx is the dominant Go PostgreSQL driver (10K+ stars, 30+ GHSA). SQL injection in pgx = universal database compromise across Go ecosystem. @DavidKorczynski ready for re-review. |
2 participants
See branch for full criticality justification and fuzz targets.