TMP: address feedback

- Add a flag to disable bug detectors using patterns
- Add a config that uses custom hooks to detect a finding
- Clean the stack of the error messages properly
- Refactoring, clean up

Author: oetr

examples/bug-detectors-command-injection/package.json

@@ -18,7 +18,6 @@
 const { FuzzedDataProvider } = require("@jazzer.js/core");
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const root = require("global-modules-path");
-
 module.exports.fuzz = function (data) {
 	const provider = new FuzzedDataProvider(data);
 	const str1 = provider.consumeString(provider.consumeIntegralInRange(1, 20));

…/bug-detectors-command-injection/fuzz.js …/bug-detectors/command-injection/fuzz.jsexamples/bug-detectors-command-injection/fuzz.js renamed to examples/bug-detectors/command-injection/fuzz.js examples/bug-detectors-command-injection/fuzz.js renamed to examples/bug-detectors/command-injection/fuzz.js

@@ -0,0 +1,17 @@
+{
+	"name": "bug-detectors",
+	"version": "1.0.0",
+	"main": "fuzz.js",
+	"license": "ISC",
+	"dependencies": {
+		"global-modules-path": "^2.3.1"
+	},
+	"scripts": {
+		"customHooks": "jazzer fuzz -i global-modules-path --disable_bug_detectors='.*' -h custom-hooks --timeout=100000000 --sync -- -runs=100000 -print_final_stats=1",
+		"bugDetectors": "jazzer fuzz -i global-modules-path --timeout=100000000 --sync -- -runs=100000 -print_final_stats=1",
+		"dryRun": "jazzer fuzz --sync -x Error -- -runs=100000 -seed=123456789"
+	},
+	"devDependencies": {
+		"@jazzer.js/core": "file:../../packages/core"
+	}
+}

examples/bug-detectors/command-injection/package.json

@@ -1,4 +1,26 @@
-export class Finding extends Error {}
+/*
+ * Copyright 2022 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Examples showcasing the custom hooks API
+ */
+
+export class Finding extends Error {
+	constructor(message: string) {
+		super(message);
+	}
+}
 
 // The first finding found by any bug detector will be saved here.
 // This is a global variable shared between the core-library (read, reset) and the bug detectors (write).

packages/bug-detectors/command-injection.ts

@@ -23,21 +23,29 @@ export {
 } from "./findings";
 
 // Checks in the global options if the bug detector should be loaded.
-export function shouldLoadBugDetector(bugDetectorName: string): boolean {
-	// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-	// @ts-ignore
-	return !global.options.excludeBugDetectors.includes(bugDetectorName);
+function shouldDisableBugDetector(
+	disableBugDetectors: RegExp[],
+	bugDetectorName: string
+): boolean {
+	// pattern match for bugDetectorName in disableBugDetectors
+	for (const pattern of disableBugDetectors) {
+		if (pattern.test(bugDetectorName)) {
+			if (process.env.JAZZER_DEBUG)
+				console.log(
+					`Skip loading bug detector ${bugDetectorName} because it matches ${pattern}`
+				);
+			return true;
+		}
+	}
+	return false;
 }
 
-// Checks in the global options if the bug detector should be loaded in safe mode.
-export function isSafeModeEnabled(): boolean {
-	// eslint-disable-next-line @typescript-eslint/ban-ts-comment
-	// @ts-ignore
-	return global.options.bugDetectorsSafeMode;
-}
-
-import { loadCommandInjectionBugDetector } from "./command-injection";
-
-export function loadBugDetectors(): void {
-	loadCommandInjectionBugDetector();
+export async function loadBugDetectors(
+	disableBugDetectors: RegExp[]
+): Promise<void> {
+	// Dynamic imports require either absolute path, or a relative path with .js extension.
+	// This is ok, since our .ts files are compiled to .js files.
+	if (!shouldDisableBugDetector(disableBugDetectors, "Command Injection")) {
+		await import("./internal/command-injection.js");
+	}
 }

packages/bug-detectors/findings.ts

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2023 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+import { reportFinding } from "../findings";
+import { guideTowardsEquality } from "@jazzer.js/fuzzer";
+import { registerBeforeHook } from "@jazzer.js/hooking";
+
+/**
+ * Importing this file adds "before-hooks" for all functions in the built-in `child_process` module and guides
+ * the fuzzer towards the uniquely chosen `goal` string `"jaz_zer"`. If the goal is found in the first argument
+ * of any hooked function, a `Finding` is reported.
+ */
+const goal = "jaz_zer";
+const moduleName = "child_process";
+
+const functionNames = [
+	"exec",
+	"execSync",
+	"execFile",
+	"execFileSync",
+	"spawn",
+	"spawnSync",
+	"fork",
+];
+
+for (const functionName of functionNames) {
+	const beforeHook = (thisPtr: unknown, params: unknown[], hookId: number) => {
+		if (params === undefined || params.length === 0) {
+			return;
+		}
+		// The first argument of the original function is:
+		// - the command to execute in exec/execSync, and spawn/spawnSync
+		// - the command/file path to execute in execFile/execFileSync
+		// - the module path to fork in fork
+		const firstArgument = params[0] as string;
+		if (firstArgument.includes(goal)) {
+			reportFinding(
+				`Command Injection in ${functionName}(): called with '${firstArgument}'`
+			);
+		}
+		guideTowardsEquality(firstArgument, goal, hookId);
+	};
+
+	registerBeforeHook(functionName, moduleName, false, beforeHook);
+}

packages/bug-detectors/index.ts

@@ -6,10 +6,10 @@
 	},
 	"references": [
 		{
-			"path": "../instrumentor"
+			"path": "../fuzzer"
 		},
 		{
-			"path": "../fuzzer"
+			"path": "../hooking"
 		}
 	]
 }

packages/bug-detectors/internal/command-injection.ts

@@ -191,23 +191,15 @@ yargs(process.argv.slice(2))
 					group: "Fuzzer:",
 					default: 5000,
 				})
-				.array("excludeBugDetectors")
-				.option("excludeBugDetectors", {
+				.array("disable_bug_detectors")
+				.option("disable_bug_detectors", {
 					describe:
-						"A list of bug detectors to exclude. By default all internal " +
+						"A list of patterns to disable internal bug detectors. By default all internal " +
 						"bug detectors are enabled. Following bug detectors are available: " +
 						'"Command Injection"',
 					type: "string",
 					group: "Fuzzer:",
 					default: [],
-				})
-				.option("bugDetectorsSafeMode", {
-					describe:
-						"Bug detectors run in safe mode, which means that the original functions will not " +
-						"be called.",
-					type: "boolean",
-					group: "Fuzzer:",
-					default: false,
 				});
 		},
 		// eslint-disable-next-line @typescript-eslint/no-explicit-any
@@ -231,8 +223,9 @@ yargs(process.argv.slice(2))
 				coverage: args.cov,
 				coverageDirectory: args.cov_dir,
 				coverageReporters: args.cov_reporters,
-				excludeBugDetectors: args.excludeBugDetectors,
-				bugDetectorsSafeMode: args.bugDetectorsSafeMode,
+				disableBugDetectors: args.disable_bug_detectors.map(
+					(s: string) => new RegExp(s)
+				),
 			});
 		}
 	)