Skip to content

feat(bug-detectors): replace RCE substring check with global canary #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
oetr wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

feat(bug-detectors): replace RCE substring check with global canary #873

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f249e1f
test(jest-runner): keep corpus lookup off tmp parents
oetr Apr 20, 2026
fd8d73c
feat(bug-detectors): add code injection canary findings
oetr Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 38 additions & 7 deletions docs/bug-detectors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,17 +98,48 @@ using Jest in `.jazzerjsrc.json`:
{ "disableBugDetectors": ["prototype-pollution"] }
```

## Remote Code Execution
## Code Injection

Hooks the `eval` and `Function` functions and reports a finding if the fuzzer
was able to pass a special string to `eval` and to the function body of
`Function`.
Installs a canary on `globalThis` and hooks the `eval` and `Function` functions.
The before-hooks guide the fuzzer toward injecting the active canary identifier
into code strings. The detector reports two fatal stages by default:

_Disable with:_ `--disableBugDetectors=remote-code-execution` in CLI mode; or
when using Jest in `.jazzerjsrc.json`:
- `Potential Code Injection (Canary Accessed)` - some code resolved the canary.
This high-recall heuristic catches cases where dynamically produced code reads
or stores the canary before executing it later.
- `Confirmed Code Injection (Canary Invoked)` - the callable canary returned by
the getter was invoked.

The detector can be configured in the
[custom hooks](./fuzz-settings.md#customhooks--arraystring) file.

- `disableAccessReporting` - disables the stage-1 access finding while keeping
invocation reporting active.
- `disableInvocationReporting` - disables the stage-2 invocation finding.
- `ignoreAccess(rule)` - suppresses stage-1 findings matching a file, function,
or stack pattern.
- `ignoreInvocation(rule)` - suppresses stage-2 findings matching a file,
function, or stack pattern.

Here is an example configuration in the
[custom hooks](./fuzz-settings.md#customhooks--arraystring) file:

```javascript
const { getBugDetectorConfiguration } = require("@jazzer.js/bug-detectors");

getBugDetectorConfiguration("code-injection")
?.ignoreAccess({
filePattern: /handlebars[\\/]dist[\\/]cjs[\\/]runtime\.js$/,
functionPattern: /^lookupProperty$/,
})
?.disableInvocationReporting();
```

_Disable with:_ `--disableBugDetectors=code-injection` in CLI mode; or when
using Jest in `.jazzerjsrc.json`:

```json
{ "disableBugDetectors": ["remote-code-execution"] }
{ "disableBugDetectors": ["code-injection"] }
```

## Server-Side Request Forgery (SSRF)
Expand Down
Loading
Loading