Skip to content

Add fuzz testing and diverse XLSX test corpus#52

Merged
0xNadr merged 1 commit into
mainfrom
feat/fuzzing-and-test-corpus
Apr 3, 2026
Merged

Add fuzz testing and diverse XLSX test corpus#52
0xNadr merged 1 commit into
mainfrom
feat/fuzzing-and-test-corpus

Conversation

@0xNadr
Copy link
Copy Markdown
Owner

@0xNadr 0xNadr commented Apr 3, 2026

Summary

  • 4 cargo-fuzz targets for all reader entry points (read_xlsx, read_single_sheet, read_sheet_names, read_document_properties)
  • 23 fixture files: 16 valid (empty workbook, all data types, Unicode/emoji, rich text, sparse rows, multiple sheets with hidden states, merged cells, freeze panes, auto-filter, defined names, large shared strings, date cells, column widths, inline strings, document properties) + 7 malformed (truncated ZIP, empty ZIP, missing workbook, bad XML, wrong string index, row 0, huge row gap)
  • 30 new Python tests covering valid parse, malformed error handling, and write-read roundtrip
  • CI workflow (fuzz.yml): weekly scheduled + on-demand + PR trigger for reader changes, corpus caching, crash artifact upload
  • Edge case docs (docs/edge-cases.md): security limits, known behaviors for malformed input
  • Smoke tested locally: 639K fuzz iterations in 11s with zero crashes

Test plan

  • All 310 tests pass locally (280 existing + 30 new corpus tests)
  • cargo clippy --no-default-features -- -D warnings clean
  • cargo fmt --check clean
  • cargo +nightly fuzz build compiles all 4 targets
  • cargo +nightly fuzz run fuzz_read_xlsx -- -max_total_time=10 runs without crashes
  • CI passes on this PR

Closes #19

@0xNadr
Add fuzz testing and diverse XLSX test corpus
b87e8c2 
- 4 cargo-fuzz targets covering all reader entry points (read_xlsx,
  read_single_sheet, read_sheet_names, read_document_properties)
- 23 generated fixture files: valid corpus (16 files testing different
  features, data types, Unicode, rich text, sparse rows, multiple
  sheets, etc.) and malformed corpus (7 files: truncated ZIP, empty
  ZIP, missing workbook, malformed XML, bad string index, etc.)
- test_corpus.py: 30 Python tests exercising the corpus (valid parse,
  malformed error handling, write-read roundtrip)
- generate_corpus.py: reproducible fixture generation script
- CI workflow (fuzz.yml): weekly scheduled + on-demand + PR trigger
  for reader changes, with corpus caching and crash artifact upload
- docs/edge-cases.md: documented known edge cases and security limits
- Made reader/writer/types modules public for fuzz target access

Closes #19
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 3, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@0xNadr 0xNadr merged commit 0661c8c into main Apr 3, 2026
21 checks passed
@0xNadr 0xNadr deleted the feat/fuzzing-and-test-corpus branch April 3, 2026 13:16
@0xNadr 0xNadr mentioned this pull request Apr 3, 2026
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Broader test corpus and fuzzing

1 participant

@0xNadr