APIs 1: FuzzExprDecodeString Tests the decoding of strings into an Expr type. The fuzzer uses the test case as the input for the DecodeString() api. 2: FuzzHandleRequest Tests the request handling of the github.com/dapr/dapr/pkg/injector.(*injector).handleRequest(). 3: FuzzFSMPlacementState This fuzzer tests the fsmʼs handling of ra� log entries. The fuzzer creates a new FSM (finite state machine). It then test if a ra� log entry could cause disruption. 4: FuzzDaprRuntime This is an extensive fuzzer that tests the dapr runtime package. The fuzzer implements its own mocked pubsub type. The fuzzer has 4 targets:

were delineated: • WP1: Thorough source code audit of the latest Dapr version • WP2: Penetration tests targeting the Dapr integration and setup • WP3: Retesting of issues spotted in June 2020. To enable Bielefelder Str. 14 D 10709 Berlin cure53.de · mario@cure53.de Scope • Penetration-tests and audits of the latest version of Dapr ◦ WP1: Thorough source code audits of the latest version ▪ Special focus was placed on local environment variable for secret storage ◦ WP2: Penetration tests against Dapr integration & setup ▪ A Kubernetes cluster running pythonapp & nodeapp among Dapr pods

com/dapr/components-contrib/pubsub/pulsar 5 FuzzPurellTest github.com/dapr/dapr/pkg/acl FuzzRLTest Tests whether well-cra�ed requests to the ratelimit middleware component can cause harm. URL: https://github 8792295cd597d /projects/dapr/fuzz_components_contrib_ratelimiter_test.go FuzzAzureEventGridTest Tests the validation routine for the authorization header of incoming requests. 15 Dapr security audit 3eabf2b557a9f5 /projects/dapr/fuzz_components_contrib_azure_eventgrid_test.go FuzzGraphqlRETest Tests whether the regular expression that processes incoming requests to the GraphQL component is safe.

logical flaws and deep-seated issues. With a shift in methods, WP2 encompassed penetration tests against Dapr integration and setup. The Cure53 team relied on a fully installed Kubernetes cluster coverage, pointing Cure53 to certain research avenues for exploration. Information on useful tests and additional software for experimentation were also indicated to the Cure53 testers by Dapr. The Penetration Tests and Security Audits against Dapr ◦ WP1: Thorough Source Code Audits against latest version of Dapr ▪ Focus was directed to the Dapr main repository ◦ WP2: Penetration Tests against Dapr