feat(bug-detectors): add code injection canary findings

Replace the brittle substring detector with deterministic
canaries for eval and Function.

Split findings into canary access and invocation,
and emit copy-paste suppression rules for noisy
heuristic reads.

Author: oetr

docs/bug-detectors.md

@@ -98,17 +98,48 @@ using Jest in `.jazzerjsrc.json`:
 { "disableBugDetectors": ["prototype-pollution"] }
 ```
 
-## Remote Code Execution
+## Code Injection
 
-Hooks the `eval` and `Function` functions and reports a finding if the fuzzer
-was able to pass a special string to `eval` and to the function body of
-`Function`.
+Installs a canary on `globalThis` and hooks the `eval` and `Function` functions.
+The before-hooks guide the fuzzer toward injecting the active canary identifier
+into code strings. The detector reports two fatal stages by default:
 
-_Disable with:_ `--disableBugDetectors=remote-code-execution` in CLI mode; or
-when using Jest in `.jazzerjsrc.json`:
+- `Potential Code Injection (Canary Accessed)` - some code resolved the canary.
+  This high-recall heuristic catches cases where dynamically produced code reads
+  or stores the canary before executing it later.
+- `Confirmed Code Injection (Canary Invoked)` - the callable canary returned by
+  the getter was invoked.
+
+The detector can be configured in the
+[custom hooks](./fuzz-settings.md#customhooks--arraystring) file.
+
+- `disableAccessReporting` - disables the stage-1 access finding while keeping
+  invocation reporting active.
+- `disableInvocationReporting` - disables the stage-2 invocation finding.
+- `ignoreAccess(rule)` - suppresses stage-1 findings matching a file, function,
+  or stack pattern.
+- `ignoreInvocation(rule)` - suppresses stage-2 findings matching a file,
+  function, or stack pattern.
+
+Here is an example configuration in the
+[custom hooks](./fuzz-settings.md#customhooks--arraystring) file:
+
+```javascript
+const { getBugDetectorConfiguration } = require("@jazzer.js/bug-detectors");
+
+getBugDetectorConfiguration("code-injection")
+	?.ignoreAccess({
+		filePattern: /handlebars[\\/]dist[\\/]cjs[\\/]runtime\.js$/,
+		functionPattern: /^lookupProperty$/,
+	})
+	?.disableInvocationReporting();
+```
+
+_Disable with:_ `--disableBugDetectors=code-injection` in CLI mode; or when
+using Jest in `.jazzerjsrc.json`:
 
 ```json
-{ "disableBugDetectors": ["remote-code-execution"] }
+{ "disableBugDetectors": ["code-injection"] }
 ```
 
 ## Server-Side Request Forgery (SSRF)