feat(code-injection): add stack suppressions

oetr · oetr · commit 93722f1961d2 · 2026-04-28T09:04:55.000+02:00
Let users disable or ignore expected canary access and invocation
findings using the shown-stack suppression rules.
diff --git a/packages/bug-detectors/internal/code-injection.ts b/packages/bug-detectors/internal/code-injection.ts
@@ -25,13 +25,93 @@ import {
 } from "@jazzer.js/core";
 import { registerBeforeHook } from "@jazzer.js/hooking";
 
+import { bugDetectorConfigurations } from "../configuration";
 import { ensureCanary } from "../shared/code-injection-canary";
+import {
+	buildGenericSuppressionSnippet,
+	captureStack,
+	getUserFacingStackLines,
+	IgnoreList,
+	type IgnoreRule,
+} from "../shared/finding-suppression";
+
+export type { IgnoreRule } from "../shared/finding-suppression";
 
 type PendingAccess = {
 	canaryName: string;
+	stack: string;
 	invoked: boolean;
 };
 
+/**
+ * Configuration for the Code Injection bug detector.
+ * Controls the reporting and suppression of dynamic code evaluation findings.
+ */
+export interface CodeInjectionConfig {
+	/**
+	 * Disables Stage 1 (Access) reporting entirely.
+	 * The detector will no longer report when the canary is merely read.
+	 */
+	disableAccessReporting(): this;
+	/**
+	 * Disables Stage 2 (Invocation) reporting entirely.
+	 * The detector will no longer report when the canary is actually executed.
+	 */
+	disableInvocationReporting(): this;
+	/**
+	 * Suppresses Stage 1 (Access) findings that match the provided rule.
+	 * Use this to silence safe heuristic reads such as template lookups.
+	 */
+	ignoreAccess(rule: IgnoreRule): this;
+	/**
+	 * Suppresses Stage 2 (Invocation) findings that match the provided rule.
+	 * Use this only for known-safe execution sinks in test environments.
+	 */
+	ignoreInvocation(rule: IgnoreRule): this;
+}
+
+class CodeInjectionConfigImpl implements CodeInjectionConfig {
+	private _reportAccess = true;
+	private _reportInvocation = true;
+	private readonly _ignoredAccessRules = new IgnoreList();
+	private readonly _ignoredInvocationRules = new IgnoreList();
+
+	disableAccessReporting(): this {
+		this._reportAccess = false;
+		return this;
+	}
+
+	disableInvocationReporting(): this {
+		this._reportInvocation = false;
+		return this;
+	}
+
+	ignoreAccess(rule: IgnoreRule): this {
+		this._ignoredAccessRules.add(rule);
+		return this;
+	}
+
+	ignoreInvocation(rule: IgnoreRule): this {
+		this._ignoredInvocationRules.add(rule);
+		return this;
+	}
+
+	shouldReportAccess(stack: string): boolean {
+		return this._reportAccess && !this._ignoredAccessRules.matches(stack);
+	}
+
+	shouldReportInvocation(stack: string): boolean {
+		return (
+			this._reportInvocation && !this._ignoredInvocationRules.matches(stack)
+		);
+	}
+}
+
+const config = new CodeInjectionConfigImpl();
+bugDetectorConfigurations.set("code-injection", config);
+
+// The canary name is target-specific: Jest VM contexts and globalThis can have
+// different existing properties. Weak keys avoid retaining old VM contexts.
 const canaryCache = new WeakMap<object, string>();
 
 // Canary access findings are delayed until the fuzz input finishes so a later
@@ -113,18 +193,35 @@ function ensureActiveCanary(): string {
 function createCanaryDescriptor(canaryName: string): PropertyDescriptor {
 	return {
 		get() {
-			const pendingAccess = { canaryName, invoked: false };
-			pendingAccesses.push(pendingAccess);
+			const accessStack = captureStack();
+			const pendingAccess = config.shouldReportAccess(accessStack)
+				? {
+						canaryName,
+						stack: accessStack,
+						invoked: false,
+					}
+				: undefined;
+			if (pendingAccess) {
+				pendingAccesses.push(pendingAccess);
+			}
 
 			return function canaryCall() {
-				pendingAccess.invoked = true;
-				reportAndThrowFinding(
-					buildFindingMessage(
-						"Confirmed Code Injection (Canary Invoked)",
-						`invoked canary: ${canaryName}`,
-					),
-					false,
-				);
+				const invocationStack = captureStack();
+				if (config.shouldReportInvocation(invocationStack)) {
+					if (pendingAccess) {
+						pendingAccess.invoked = true;
+					}
+					reportAndThrowFinding(
+						buildFindingMessage(
+							"Confirmed Code Injection (Canary Invoked)",
+							`invoked canary: ${canaryName}`,
+							invocationStack,
+							"ignoreInvocation",
+							"If this execution sink is expected in your test environment, suppress it:",
+						),
+						false,
+					);
+				}
 			};
 		},
 		enumerable: false,
@@ -141,12 +238,33 @@ function flushPendingAccesses(): void {
 			buildFindingMessage(
 				"Potential Code Injection (Canary Accessed)",
 				`accessed canary: ${pendingAccess.canaryName}`,
+				pendingAccess.stack,
+				"ignoreAccess",
+				"If this is a safe heuristic read, suppress it to continue fuzzing for code execution. Add this to your custom hooks:",
 			),
 			false,
 		);
 	}
 }
 
-function buildFindingMessage(title: string, action: string): string {
-	return `${title} -- ${action}`;
+function buildFindingMessage(
+	title: string,
+	action: string,
+	stack: string,
+	suppressionMethod: "ignoreAccess" | "ignoreInvocation",
+	hint: string,
+): string {
+	const relevantStackLines = getUserFacingStackLines(stack);
+	const message = [`${title} -- ${action}`];
+	if (relevantStackLines.length > 0) {
+		message.push(...relevantStackLines);
+	}
+	message.push(
+		"",
+		`[!] ${hint}`,
+		"    Example only: copy/paste it and adapt `stackPattern` to your needs.",
+		"",
+		buildGenericSuppressionSnippet("code-injection", suppressionMethod),
+	);
+	return message.join("\n");
 }
diff --git a/tests/bug-detectors/code-injection.test.js b/tests/bug-detectors/code-injection.test.js
@@ -93,6 +93,93 @@ describe("CLI", () => {
 		});
 	}
 
+	it("prints a generic access suppression example", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("heuristicReadAccessesCanary")
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(FuzzingExitCode);
+		expect(fuzzTest.stderr).toContain(
+			'getBugDetectorConfiguration("code-injection")',
+		);
+		expect(fuzzTest.stderr).toContain(
+			"Example only: copy/paste it and adapt `stackPattern` to your needs.",
+		);
+		expect(fuzzTest.stderr).toContain(
+			"// Example only: adapt `stackPattern` to the shown stack above.",
+		);
+		expect(fuzzTest.stderr).toContain("?.ignoreAccess({");
+		expect(fuzzTest.stderr).toContain('stackPattern: "test.js:10"');
+	});
+
+	it("reports confirmed invocation when access reporting is disabled", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("evalAccessesCanary")
+			.customHooks(["disable-access.config.js"])
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(FuzzingExitCode);
+		expect(fuzzTest.stderr).toContain(invocationFindingMessage);
+		expect(fuzzTest.stderr).toContain("?.ignoreInvocation({");
+	});
+
+	it("falls back to potential access when invocation reporting is disabled", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("evalAccessesCanary")
+			.customHooks(["disable-invocation.config.js"])
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(FuzzingExitCode);
+		expect(fuzzTest.stderr).toContain(accessFindingMessage);
+		expect(fuzzTest.stderr).not.toContain(invocationFindingMessage);
+	});
+
+	it("suppresses heuristic access when a stack pattern matches", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("heuristicReadAccessesCanary")
+			.customHooks(["ignore-heuristic-access.config.js"])
+			.build()
+			.execute();
+		expect(fuzzTest.stdout).toContain(okMessage);
+		expect(fuzzTest.stderr).not.toContain(accessFindingMessage);
+	});
+
+	it("reaches invocation reporting when access is ignored by stack pattern", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("evalAccessesCanary")
+			.customHooks(["ignore-access-by-stack.config.js"])
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(FuzzingExitCode);
+		expect(fuzzTest.stderr).toContain(invocationFindingMessage);
+	});
+
+	it("falls back to potential access when invocation is ignored", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("evalAccessesCanary")
+			.customHooks(["ignore-invocation-only.config.js"])
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(FuzzingExitCode);
+		expect(fuzzTest.stderr).toContain(accessFindingMessage);
+		expect(fuzzTest.stderr).not.toContain(invocationFindingMessage);
+	});
+
+	it("suppresses invocation when the invocation rule matches", () => {
+		const fuzzTest = fuzzTestBuilder
+			.fuzzEntryPoint("evalAccessesCanary")
+			.customHooks(["ignore-invocation.config.js"])
+			.build();
+		fuzzTest.execute();
+		expect(fuzzTest.stderr).not.toContain(accessFindingMessage);
+		expect(fuzzTest.stderr).not.toContain(invocationFindingMessage);
+	});
+
 	it("Function.prototype should still exist", () => {
 		const fuzzTest = fuzzTestBuilder
 			.dryRun(false)
@@ -159,6 +246,33 @@ describe("Jest", () => {
 		expect(fuzzTest.stderr).not.toContain(accessFindingMessage);
 	});
 
+	it("reports confirmed invocation when access reporting is disabled", () => {
+		const fuzzTest = fuzzTestBuilder
+			.dryRun(false)
+			.jestTestFile("tests.fuzz.js")
+			.jestTestName("eval Accesses canary$")
+			.customHooks(["disable-access.config.js"])
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(JestRegressionExitCode);
+		expect(fuzzTest.stderr).toContain(invocationFindingMessage);
+	});
+
+	it("falls back to potential access when invocation reporting is disabled", () => {
+		const fuzzTest = fuzzTestBuilder
+			.dryRun(false)
+			.jestTestFile("tests.fuzz.js")
+			.jestTestName("eval Accesses canary$")
+			.customHooks(["disable-invocation.config.js"])
+			.build();
+		expect(() => {
+			fuzzTest.execute();
+		}).toThrow(JestRegressionExitCode);
+		expect(fuzzTest.stderr).toContain(accessFindingMessage);
+		expect(fuzzTest.stderr).not.toContain(invocationFindingMessage);
+	});
+
 	it("safe code stays quiet", () => {
 		const fuzzTest = fuzzTestBuilder
 			.dryRun(false)
diff --git a/tests/bug-detectors/code-injection/disable-access.config.js b/tests/bug-detectors/code-injection/disable-access.config.js
@@ -0,0 +1,21 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const {
+	getBugDetectorConfiguration,
+} = require("../../../packages/bug-detectors");
+
+getBugDetectorConfiguration("code-injection")?.disableAccessReporting();
diff --git a/tests/bug-detectors/code-injection/disable-invocation.config.js b/tests/bug-detectors/code-injection/disable-invocation.config.js
@@ -0,0 +1,21 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const {
+	getBugDetectorConfiguration,
+} = require("../../../packages/bug-detectors");
+
+getBugDetectorConfiguration("code-injection")?.disableInvocationReporting();
diff --git a/tests/bug-detectors/code-injection/ignore-access-by-stack.config.js b/tests/bug-detectors/code-injection/ignore-access-by-stack.config.js
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const {
+	getBugDetectorConfiguration,
+} = require("../../../packages/bug-detectors");
+
+getBugDetectorConfiguration("code-injection")?.ignoreAccess({
+	stackPattern: "evalAccessesCanary",
+});
diff --git a/tests/bug-detectors/code-injection/ignore-heuristic-access.config.js b/tests/bug-detectors/code-injection/ignore-heuristic-access.config.js
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2026 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const {
+	getBugDetectorConfiguration,
+} = require("../../../packages/bug-detectors");
+
+getBugDetectorConfiguration("code-injection")?.ignoreAccess({
+	stackPattern: "heuristicReadAccessesCanary",
+});
diff --git a/tests/bug-detectors/code-injection/ignore-invocation-only.config.js b/tests/bug-detectors/code-injection/ignore-invocation-only.config.js
diff --git a/tests/bug-detectors/code-injection/ignore-invocation.config.js b/tests/bug-detectors/code-injection/ignore-invocation.config.js
