@@ -22,8 +22,33 @@ using Jest in `.jazzerjsrc.json`:
2222
2323## Path Traversal
2424
25- Hooks all relevant functions of the built-in modules ` fs ` and ` path ` and reports
26- a finding if the fuzzer could pass a special path to any of the functions.
25+ Hooks all relevant functions of the built-in modules ` fs ` , ` fs/promises ` , and
26+ ` path ` and reports a finding if the fuzzer could pass a special path to any of
27+ the functions.
28+
29+ The Path Traversal bug detector can be configured in the
30+ [ custom hooks] ( ./fuzz-settings.md#customhooks--arraystring ) file.
31+
32+ - ` ignore(rule) ` - suppresses findings from callsites matching the shown stack
33+ excerpt.
34+ - ` stackPattern ` accepts either a string or a ` RegExp ` and is matched against
35+ the shown stack excerpt after removing the leading ` Error ` line and Jazzer.js
36+ frames. The remaining stack text is matched as shown, including path
37+ separators and column numbers.
38+
39+ Here is an example configuration in the
40+ [ custom hooks] ( ./fuzz-settings.md#customhooks--arraystring ) file:
41+
42+ ``` javascript
43+ const { getBugDetectorConfiguration } = require (" @jazzer.js/bug-detectors"
44+
45+ getBugDetectorConfiguration (" path-traversal" ? .ignore ({
46+ stackPattern: " safe-path-wrapper.js:41"
47+ });
48+ ` ` `
49+
50+ Findings also print a generic example suppression snippet. Copy/paste it and
51+ adapt ` stackPattern` to the shown stack excerpt.
2752
2853_Disable with:_ ` -- disableBugDetectors= path- traversal` in CLI mode; or when
2954using Jest in ` .jazzerjsrc .json ` :
@@ -98,17 +123,59 @@ using Jest in `.jazzerjsrc.json`:
98123{ " disableBugDetectors" : [" prototype-pollution"
99124` ` `
100125
101- ## Remote Code Execution
126+ ## Code Injection
127+
128+ Installs a canary on the active global object and hooks the ` eval` and
129+ ` Function ` functions. The before-hooks guide the fuzzer toward injecting the
130+ active canary identifier into code strings. The detector reports two fatal
131+ stages by default:
102132
103- Hooks the ` eval` and ` Function ` functions and reports a finding if the fuzzer
104- was able to pass a special string to ` eval` and to the function body of
105- ` Function ` .
133+ - ` Potential Code Injection (Canary Accessed)` - some code resolved the canary.
134+ This high-recall heuristic catches cases where dynamically produced code reads
135+ or stores the canary before executing it later.
136+ - ` Confirmed Code Injection (Canary Invoked)` - the callable canary returned by
137+ the getter was invoked.
106138
107- _Disable with:_ ` -- disableBugDetectors= remote- code- execution` in CLI mode; or
108- when using Jest in ` .jazzerjsrc .json ` :
139+ The detector can be configured in the
140+ [custom hooks](./fuzz-settings.md#customhooks--arraystring) file.
141+
142+ - ` disableAccessReporting` - disables the stage-1 access finding while keeping
143+ invocation reporting active.
144+ - ` disableInvocationReporting` - disables the stage-2 invocation finding.
145+ - ` ignoreAccess (rule)` - suppresses stage-1 findings matching the shown stack
146+ excerpt.
147+ - ` ignoreInvocation (rule)` - suppresses stage-2 findings matching the shown
148+ stack excerpt.
149+ - ` stackPattern` accepts either a string or a ` RegExp ` and is matched against
150+ the shown stack excerpt after removing the leading ` Error ` line and Jazzer.js
151+ frames. The remaining stack text is matched as shown, including path
152+ separators and column numbers.
153+
154+ The detector must be able to install a canary on at least one active global
155+ object. Locked-down environments that forbid this should disable the detector
156+ explicitly.
157+
158+ Here is an example configuration in the
159+ [custom hooks](./fuzz-settings.md#customhooks--arraystring) file:
160+
161+ ` ` `
162+ const { getBugDetectorConfiguration } = require (" @jazzer.js/bug-detectors"
163+
164+ getBugDetectorConfiguration (" code-injection"
165+ ? .ignoreAccess ({
166+ stackPattern: " handlebars/runtime.js:87"
167+ })
168+ ? .disableInvocationReporting ();
169+ ` ` `
170+
171+ Findings print a generic example suppression snippet. Copy/paste it and adapt
172+ ` ` to a stable substring or ` RegExp ` from the shown stack.
173+
174+ _Disable with:_ ` -- disableBugDetectors= code- injection` in CLI mode; or when
175+ using Jest in ` .jazzerjsrc .json ` :
109176
110177` ` `
111- { " disableBugDetectors" : [" remote- code-execution "
178+ { " disableBugDetectors" : [" code-injection "
112179` ` `
113180
114181## Server-Side Request Forgery (SSRF)
0 commit comments