Add fuzz testing suite and fix RC4 empty-key crash#2
Merged
Conversation
Add 8 atheris/libFuzzer fuzz targets covering the full deobfuscation pipeline, parser, generator, all 16 transforms, expression simplifier, string decoders, scope analysis, and AST traversal. Includes OSS-Fuzz build script, local runner, seed corpus from regression samples, and GitHub Actions workflow triggered on develop branch. Fix ZeroDivisionError in Rc4StringDecoder when called with an empty string key — `key[i % len(key)]` divided by zero. The existing guard only checked `key is None`, not empty string. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove clang and atheris installation from the fuzz CI workflow — the standalone random fuzzer needs no extra dependencies and is sufficient for CI smoke testing. Atheris with libFuzzer is for local deep fuzzing. Add publish.yml workflow that builds and publishes to PyPI on GitHub Release, using pypa/gh-action-pypi-publish with a PYPI_TOKEN secret. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Single source of truth for version — no need to bump both pyproject.toml and __init__.py. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add authors, URLs, classifiers, keywords to pyproject.toml - Include LICENSE, README, NOTICE, THIRD_PARTY_LICENSES in sdist - Remove redundant setup.py (mypyc compilation, conflicts with pyproject.toml) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
esprima2 is a pip dependency, not bundled code. Only derivative works (obfuscator-io-deobfuscator, javascript-deobfuscator) need attribution. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use absolute URL for logo (renders on PyPI, not just GitHub) - Replace requirements.txt install with pip install pyjsclear - Add development setup with git clone - Remove esprima2 from license attribution (runtime dependency, not bundled) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add setuptools packages.find with include = ["pyjsclear*"] to prevent tests/ from being bundled in the wheel. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ZeroDivisionErrorinRc4StringDecoderwhen called with empty string key (key[i % len(key)]atstring_decoders.py:130)developbranch using standalone fuzzer (no clang/atheris needed in CI)Test plan
PYPI_TOKENsecret to repo for publish workflow🤖 Generated with Claude Code