[Fuzz] Add fuzz testing for AdvancedPaste and new pipeline for onboarding OneFuzz (#36329)

* add fuzz

* install .net8

* add spelling check

* refine the pipeline

* add readme and update the test code

* fix spelling error

* change to weekly run

src/modules/AdvancedPaste/AdvancedPaste.FuzzTests/AdvancedPaste.FuzzTests.csproj

@@ -0,0 +1,26 @@
+<Project Sdk="Microsoft.NET.Sdk">
+	<PropertyGroup>
+		<TargetFramework>net8.0-windows10.0.19041.0</TargetFramework>
+		<LangVersion>latest</LangVersion>
+		<ImplicitUsings>enable</ImplicitUsings>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+	<PropertyGroup>
+		<OutputPath>..\..\..\..\$(Platform)\$(Configuration)\tests\AdvancedPaste.FuzzTests\</OutputPath>
+	</PropertyGroup>
+	<ItemGroup>
+		<Compile Include="..\AdvancedPaste\Helpers\JsonHelper.cs" Link="JsonHelper.cs" />
+	</ItemGroup>
+	<ItemGroup>
+		<PackageReference Include="MSTest" />
+	</ItemGroup>
+
+	<ItemGroup>
+		<Using Include="Microsoft.VisualStudio.TestTools.UnitTesting" />
+	</ItemGroup>
+	<ItemGroup>
+		<Content Include="OneFuzzConfig.json">
+			<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+		</Content>
+	</ItemGroup>
+</Project>

src/modules/AdvancedPaste/AdvancedPaste.FuzzTests/Fuzz.md

@@ -0,0 +1,45 @@
+# Fuzzing .NET Code with OneFuzz
+
+This document explains the purpose of the project, the rationale for using specific technologies, and key instructions for fuzz testing .NET code using OneFuzz.
+
+## Overview
+
+This project demonstrates fuzz testing for .NET applications. It uses a `.NET 8 (Windows)` project where a code file is linked to the project. The linked file contains the functions required for fuzz testing.
+
+## Why Use .NET 8 (Windows)?
+
+1. **Current Support**: At the time of writing, OneFuzz supports only .NET 8 projects. The Fuzz team is actively working on .NET 9 support.
+2. **Interim Solution**: Until .NET 9 support is available, .NET 8 serves as a robust and temporary solution for fuzz testing, enabling direct code linking for efficient development.
+
+## Requesting Access
+
+To log into the production instance of OneFuzz with the CLI, you **must request access**. Visit the internal [OneFuzz Access Request Page](https://myaccess.microsoft.com/@microsoft.onmicrosoft.com#/access-packages/6df691eb-e3d1-444b-b4b2-9e944dc794be) for details.
+
+## How to Fuzz .NET Code
+
+To set up and run fuzz testing on .NET code, follow the detailed guide available [Fuzz .NET Code](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/howto/fuzzing-dotnet-code).
+
+## Running a .NET Fuzz Target Locally
+
+Testing a .NET fuzz target locally requires specific configurations. For a step-by-step guide, see the section on [Running a .NET Fuzz Target Locally](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/howto/fuzzing-dotnet-code#extra-running-a-net-fuzz-target-locally).
+
+## Writing a Good OneFuzzConfig.json
+
+The `OneFuzzConfig.json` file provides critical information for deploying fuzzing jobs using the OneFuzz Ingestion Preparation Tool and Ingestion Service.
+
+### Structure
+
+The primary structure is an array of configuration entries. Outside the array, the `configVersion` field is used to track changes to the configuration schema.
+
+For more details on how to write and structure this file, see the [OneFuzzConfig V3 Documentation](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/onefuzzconfig/onefuzzconfigv3).
+
+## Tools
+
+### OneFuzz Ingestion Preparation (OIP) Tool
+
+The OIP tool helps prepare data for ingestion and fuzz testing. Learn more about [OneFuzz Ingestion Preparation (OIP) Tool](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/oip/onefuzzingestionpreparationtool).
+
+### OneFuzz CLI
+
+The CLI provides commands to manage and execute fuzzing jobs. Download and set up the CLI by following this [guide](https://eng.ms/docs/cloud-ai-platform/azure-edge-platform-aep/aep-security/epsf-edge-and-platform-security-fundamentals/the-onefuzz-service/onefuzz/howto/downloading-cli).
+

src/modules/AdvancedPaste/AdvancedPaste.FuzzTests/FuzzTests.cs

@@ -0,0 +1,32 @@
+// Copyright (c) Microsoft Corporation
+// The Microsoft Corporation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using AdvancedPaste.Helpers;
+using Windows.ApplicationModel.DataTransfer;
+
+// OneFuzz currently does not support .NET 9 code testing, so this is a temporary solution.
+// Create a .NET 8 project and use a file link to include the code for testing first.
+namespace AdvancedPaste.FuzzTests
+{
+    public class FuzzTests
+    {
+        public static void FuzzToJsonFromXmlOrCsv(ReadOnlySpan<byte> input)
+        {
+            try
+            {
+                var dataPackage = new DataPackage();
+                dataPackage.SetText(input.ToString());
+                _ = Task.Run(async () => await JsonHelper.ToJsonFromXmlOrCsvAsync(dataPackage.GetView())).Result;
+            }
+            catch (Exception ex) when (ex is ArgumentException)
+            {
+                // This is an example. It's important to filter out any *expected* exceptions from our code here.
+                // However, catching all exceptions is considered an anti-pattern because it may suppress legitimate
+                // issues, such as a NullReferenceException thrown by our code. In this case, we still re-throw
+                // the exception, as the ToJsonFromXmlOrCsvAsync method is not expected to throw any exceptions.
+                throw;
+            }
+        }
+    }
+}

src/modules/AdvancedPaste/AdvancedPaste.FuzzTests/Logger.cs

@@ -0,0 +1,46 @@
+// Copyright (c) Microsoft Corporation
+// The Microsoft Corporation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+// This is used for fuzz testing and ensures that the project links only to JsonHelper,
+// avoiding unnecessary connections to additional files
+namespace ManagedCommon
+{
+    public static class Logger
+    {
+        // An empty method to simulate logging information
+        public static void LogTrace()
+        {
+            // Do nothing
+        }
+
+        // An empty method to simulate logging information
+        public static void LogInfo(string message)
+        {
+            // Do nothing
+        }
+
+        // An empty method to simulate logging warnings
+        public static void LogWarning(string message)
+        {
+            // Do nothing
+        }
+
+        // An empty method to simulate logging errors
+        public static void LogError(string message, Exception? ex = null)
+        {
+            // Do nothing
+        }
+
+        public static void LogDebug(string message, Exception? ex = null)
+        {
+            // Do nothing
+        }
+    }
+}

src/modules/AdvancedPaste/AdvancedPaste.FuzzTests/MSTestSettings.cs

@@ -0,0 +1,5 @@
+// Copyright (c) Microsoft Corporation
+// The Microsoft Corporation licenses this file to you under the MIT license.
+// See the LICENSE file in the project root for more information.
+
+[assembly: Parallelize(Scope = ExecutionScope.MethodLevel)]

src/modules/AdvancedPaste/AdvancedPaste.FuzzTests/OneFuzzConfig.json

@@ -0,0 +1,47 @@
+{
+  "configVersion": 3,
+  "entries": [
+    {
+      "fuzzer": {
+        "$type": "libfuzzerDotNet",
+        "dll": "AdvancedPaste.FuzzTests.dll",
+        "class": "AdvancedPaste.FuzzTests.FuzzTests",
+        "method": "FuzzToJsonFromXmlOrCsv",
+        "FuzzingTargetBinaries": [
+          "PowerToys.AdvancedPaste.dll"
+        ]
+      },
+      "adoTemplate": {
+        // supply the values appropriate to your
+        // project, where bugs will be filed 
+        "org": "microsoft",
+        "project": "OS",
+        "AssignedTo": "leilzh@microsoft.com",
+        "AreaPath": "OS\\Windows Client and Services\\WinPD\\DEEP-Developer Experience, Ecosystem and Partnerships\\SHINE\\PowerToys",
+        "IterationPath": "OS\\Future"
+      },
+      "jobNotificationEmail": "leilzh@microsoft.com",
+      "skip": false,
+      "rebootAfterSetup": false,
+      "oneFuzzJobs": [
+        // at least one job is required
+        {
+          "projectName": "AdvancedPaste",
+          "targetName": "AdvancedPaste-dotnet-fuzzer"
+        }
+      ],
+      "jobDependencies": [
+        // this should contain, at minimum,
+        // the DLL and PDB files
+        // you will need to add any other files required
+        // (globs are supported)
+        "AdvancedPaste.FuzzTests.dll",
+        "AdvancedPaste.FuzzTests.pdb",
+        "Microsoft.Windows.SDK.NET.dll",
+        "Newtonsoft.Json.dll",
+        "WinRT.Runtime.dll"
+      ],
+      "SdlWorkItemId": 49911822
+    }
+  ]
+}