vibe-fuzz-parser-inputs
npx machina-cli add skill ash1794/vibe-engineering/fuzz-parser-inputs --openclawvibe-fuzz-parser-inputs
Every parser will eventually see input you didn't expect. Fuzz testing finds the crashes before production does.
When to Use This Skill
- Implementing any parser (YAML, JSON, XML, config, DSL)
- Processing user-supplied input
- Handling webhook payloads or API responses
- Parsing file formats
When NOT to Use This Skill
- The parser is a well-tested standard library (e.g.,
encoding/json) - You're only reading known, controlled input
- The parser is trivial (e.g., splitting a string by comma)
Steps
Go Fuzz Tests
-
Create fuzz test file (
parser_fuzz_test.go):func FuzzParseConfig(f *testing.F) { // Seed corpus from existing test fixtures files, _ := filepath.Glob("testdata/*.yaml") for _, file := range files { data, _ := os.ReadFile(file) f.Add(data) } // Add targeted seeds f.Add([]byte("")) // empty f.Add([]byte("{}")) // minimal valid f.Add([]byte("\x00\x00")) // binary f.Fuzz(func(t *testing.T, data []byte) { // Should never panic result, err := ParseConfig(data) if err != nil { return // errors are fine } // If no error, result should be valid if result.Name == "" { t.Error("parsed successfully but Name is empty") } }) } -
Seed the corpus from:
- Existing test fixtures
- Real production examples
- Known edge cases
- Minimally valid inputs
- Binary/garbage data
-
Run initial fuzz:
go test -fuzz=FuzzParseConfig -fuzztime=30s -
Record results:
- Crashes found
- New corpus entries generated
- Edge cases discovered
-
Fix crashes -- Every panic or unexpected behavior becomes a permanent test case
Other Languages
- JavaScript/TypeScript: Use
jest-fuzzorfast-checkproperty-based testing - Python: Use
hypothesisfor property-based testing - Rust: Use
cargo-fuzzwithlibfuzzer
Output Format
Fuzz Test: [Parser Name]
Seeds: X (Y from fixtures, Z manual) Duration: [fuzz time] Corpus growth: X -> Y entries (Z% expansion) Crashes found: N
| # | Input (hex) | Crash Type | Fix |
|---|---|---|---|
| 1 | \x00\xff... | nil panic in tokenizer | Added nil check at line 42 |
New Edge Cases Discovered
- [Description] -- added as permanent test case
Source
git clone https://github.com/ash1794/vibe-engineering/blob/master/skills/fuzz-parser-inputs/SKILL.mdView on GitHub Overview
vibe-fuzz-parser-inputs helps you generate fuzz test scaffolding for parsers that handle external input like YAML, JSON, config files, and user data. It seeds the corpus from existing fixtures and runs an initial fuzz pass to surface crashes early.
How This Skill Works
It provides a Go fuzz test pattern (example in parser_fuzz_test.go) that seeds the corpus from testdata/*.yaml and additional seeds (empty input, minimal valid input, and binary data). It then executes fuzzing with FuzzParseConfig to ensure the parser does not panic and produces valid results when possible.
When to Use It
- Implementing any parser (YAML, JSON, XML, config, DSL)
- Processing user-supplied input
- Handling webhook payloads or API responses
- Parsing file formats
- CI-driven parser maintenance to catch regressions
Quick Start
- Step 1: Create fuzz test file parser_fuzz_test.go with a FuzzParseConfig function and seed from testdata/*.yaml
- Step 2: Seed the corpus with existing fixtures, real examples, and edge cases (including empty and binary inputs)
- Step 3: Run: go test -fuzz=FuzzParseConfig -fuzztime=30s
Best Practices
- Seed the corpus from existing test fixtures and real production examples
- Include edge cases and minimal valid inputs
- Test with empty and binary data to provoke panics
- Run an initial fuzz pass with a defined fuzz time window
- Record crashes, new corpus entries, and fixed issues as permanent tests
Example Use Cases
- Fuzz a YAML/JSON config parser in a deployed service
- Fuzz a webhook payload handler that consumes JSON/XML
- Fuzz an API response parser in a client library
- Fuzz a file-format parser used by a compiler or data tool
- Fuzz a CLI config-file parser used in a deployment pipeline
