From e6d7e9b7195f52799b50138e4baedc4c7a95c2bf Mon Sep 17 00:00:00 2001
From: can olgun <canolgun@gmail.com>
Date: Fri, 12 Jun 2026 12:20:46 +0300
Subject: [PATCH] =?UTF-8?q?Add=20OSS-Fuzz=20harness=20for=20requests=20?=
 =?UTF-8?q?=E2=80=94=20Python=20HTTP=20library?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 fuzz_requests.py | 56 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 fuzz_requests.py

diff --git a/fuzz_requests.py b/fuzz_requests.py
new file mode 100644
index 0000000000..8799f1f3b4
--- /dev/null
+++ b/fuzz_requests.py
@@ -0,0 +1,56 @@
+#!/usr/bin/env python3
+"""Fuzz harness for requests — Python HTTP library (8 GHSA advisories).
+
+Tests URL parsing, header parsing, and response handling
+with arbitrary attacker-controlled inputs.
+"""
+import sys
+import atheris
+
+with atheris.instrument_imports():
+    import requests
+    from requests import structures, cookies
+
+
+def TestOneInput(data):
+    fdp = atheris.FuzzedDataProvider(data)
+
+    # 1. URL parsing — core pre-auth boundary
+    try:
+        url = fdp.ConsumeString(512)
+        requests.utils.urlparse(url)
+    except Exception:
+        pass
+
+    # 2. Header parsing
+    try:
+        header_str = fdp.ConsumeString(256)
+        requests.utils.parse_header_links(header_str)
+    except Exception:
+        pass
+
+    # 3. Case-insensitive dict (used for headers)
+    try:
+        key = fdp.ConsumeString(64)
+        val = fdp.ConsumeString(128)
+        d = structures.CaseInsensitiveDict()
+        d[key] = val
+        _ = d.get(key, "")
+    except Exception:
+        pass
+
+    # 4. Cookie parsing
+    try:
+        cookie_str = fdp.ConsumeString(512)
+        cookies.MockRequest(cookie_str)
+    except Exception:
+        pass
+
+
+def main():
+    atheris.Setup(sys.argv, TestOneInput)
+    atheris.Fuzz()
+
+
+if __name__ == "__main__":
+    main()