refactor: clean slate for path traversal

Author: 434b

examples/bug-detectors-path-traversal/fuzz.js

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2023 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+const jsonfile = "jsonfile";
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { readFileSync } = require(jsonfile);
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { FuzzedDataProvider } = require("@jazzer.js/core");
+
+/**
+ * @param { Buffer } data
+ */
+module.exports.fuzz = function (data) {
+	try {
+		if (data.length === 0) return;
+		const provider = new FuzzedDataProvider(data);
+		const str1 = provider.consumeString(provider.consumeIntegralInRange(1, 20));
+		readFileSync(str1);
+	} catch (e) {
+		if (!ignoredError(e)) throw e;
+	}
+};
+
+/**
+ * @param { Error } error
+ */
+function ignoredError(error) {
+	return !!ignored.find((message) => error.message.includes(message));
+}
+
+const ignored = ["ENOENT", "EISDIR", "The argument 'path'"];

examples/bug-detectors-path-traversal/package.json

@@ -0,0 +1,16 @@
+{
+	"name": "custom-hooks-bd",
+	"version": "1.0.0",
+	"main": "fuzz.js",
+	"license": "ISC",
+	"dependencies": {
+		"jsonfile": "^6.1.0"
+	},
+	"scripts": {
+		"fuzz": "jazzer fuzz -i jsonfile --timeout=100000000 --sync -x Error -- -runs=100000",
+		"dryRun": "jazzer fuzz --sync -x Error -- -runs=100000 -seed=123456789"
+	},
+	"devDependencies": {
+		"@jazzer.js/core": "file:../../packages/core"
+	}
+}

package-lock.json

@@ -0,0 +1,41 @@
+import {
+	BugDetectorError,
+	hookBuiltInFunction,
+	saveFirstBugDetectorError,
+} from "./index";
+import { nextFakePC } from "@jazzer.js/instrumentor/dist/plugins/helpers";
+import { guideTowardsEquality } from "@jazzer.js/fuzzer";
+
+export async function registerBasicBugDetector<
+	F extends (...args: unknown[]) => unknown
+>(
+	moduleName: string,
+	targetFunctionName: string,
+	evilCommand: string,
+	baseErrorString: string,
+	callOriginalFn: boolean
+): Promise<F> {
+	const id = nextFakePC();
+	return await hookBuiltInFunction(
+		moduleName,
+		targetFunctionName,
+		(originalFn: F, cmdOrFileOrPath: string, ...args: unknown[]): F | void => {
+			if (cmdOrFileOrPath.includes(evilCommand)) {
+				const err = new BugDetectorError(
+					baseErrorString +
+						targetFunctionName +
+						"() called with command: '" +
+						cmdOrFileOrPath +
+						"'"
+				);
+				// Remove the first 3 lines after the message from the stack trace.
+				// The first lines are internal Jazzer function calls.
+				saveFirstBugDetectorError(err, 3);
+			}
+			guideTowardsEquality(cmdOrFileOrPath, evilCommand, id);
+			if (callOriginalFn) {
+				return originalFn(cmdOrFileOrPath, ...args) as unknown as F;
+			}
+		}
+	);
+}

packages/bug-detectors/basic-detector.ts

@@ -0,0 +1,116 @@
+/*
+ * Copyright 2023 Code Intelligence GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+export class BugDetectorError extends Error {}
+// Register bug detectors based on the provided list of bug detectors
+// eslint-disable-next-line @typescript-eslint/ban-types
+import { registerPathTraversalBugDetectors } from "./path-traversal";
+
+interface BugDetector {
+	[key: string]: (callOriginalFn: boolean) => Promise<void>;
+}
+
+const bugDetectorRegistry: BugDetector = {
+	pathTraversal: registerPathTraversalBugDetectors,
+};
+
+/**
+ * Registers bug detectors based on the provided list of bug detectors.
+ */
+export async function registerBugDetectors(
+	detectorNames: string[]
+): Promise<void> {
+	const registeredBugDetectors: Set<string> = new Set();
+
+	for (const detectorName of detectorNames) {
+		if (registeredBugDetectors.has(detectorName)) {
+			continue;
+		}
+
+		const detector = bugDetectorRegistry[detectorName];
+		if (detector) {
+			registeredBugDetectors.add(detectorName);
+			await detector(true);
+		} else {
+			console.error(`Unknown bug detector: ${detectorName}`);
+		}
+	}
+}
+
+/**
+ * Replaces a built-in function with a custom implementation while preserving
+ * the original function for potential use within the replacement function.
+ *
+ * @param moduleName - The name of the module containing the target function.
+ * @param targetFnName - The name of the target function to be replaced.
+ * @param replacementFn - The replacement function that will be called instead
+ *                        of the original function. The first argument passed
+ *                        to the replacement function will be the original function,
+ *                        followed by any arguments that were originally passed
+ *                        to the target function.
+ * @returns A promise that resolves to the original function that was replaced.
+ * @throws Will throw an error if the module cannot be imported.
+ *
+ * @example
+ * const originalExec = await hookBuiltInFunction(
+ *   "child_process",
+ *   "exec",
+ *   (originalFn: Function, cmd: string, options: object, callback: Function) => {
+ *     console.log("Custom implementation called with command:", cmd);
+ *     return originalFn(cmd, options, callback);
+ *   }
+ * );
+ */
+export async function hookBuiltInFunction<
+	// eslint-disable-next-line @typescript-eslint/ban-types
+	F extends Function,
+	// eslint-disable-next-line @typescript-eslint/ban-types
+	K extends Function
+>(moduleName: string, targetFnName: string, replacementFn: F): Promise<K> {
+	const { default: module } = await import(moduleName);
+	const originalFn = module[targetFnName];
+	module[targetFnName] = (...args: unknown[]) =>
+		replacementFn(originalFn, ...args);
+	return originalFn;
+}
+
+// The first error to be found by any bug detector will be saved here.
+// This is a global variable shared between the core-library (read, reset) and the bug detectors (write).
+// It will be reset after the fuzzer has processed an input (only relevant for modes where the fuzzing
+// continues after finding an error, e.g. fork mode, Jest regression mode, fuzzing that ignores errors mode, etc.).
+let firstBugDetectorError: BugDetectorError | undefined;
+
+export function getFirstBugDetectorError(): BugDetectorError | undefined {
+	return firstBugDetectorError;
+}
+
+// Clear the error saved by the bug detector before the fuzzer continues with a new input.
+export function clearFirstBugDetectorError(): void {
+	firstBugDetectorError = undefined;
+}
+
+export function saveFirstBugDetectorError(
+	error: BugDetectorError,
+	trimErrorStackLines = 0
+): void {
+	// After an error has been saved, ignore all subsequent errors.
+	if (firstBugDetectorError) {
+		return;
+	}
+	error.stack = error.stack?.split("\n").slice(trimErrorStackLines).join("\n");
+	firstBugDetectorError = error;
+	throw error;
+}

packages/bug-detectors/index.ts

@@ -0,0 +1,28 @@
+{
+	"name": "@jazzer.js/bug-detectors",
+	"version": "1.4.0",
+	"description": "Jazzer.js bug detectors",
+	"homepage": "https://github.com/CodeIntelligenceTesting/jazzer.js#readme",
+	"author": "Code Intelligence",
+	"license": "Apache-2.0",
+	"bugs": {
+		"url": "https://github.com/CodeIntelligenceTesting/jazzer.js/issues"
+	},
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/CodeIntelligenceTesting/jazzer.js.git",
+		"directory": "packages/bug-detectors"
+	},
+	"main": "dist/index.js",
+	"types": "dist/index.d.js",
+	"dependencies": {
+		"@jazzer.js/fuzzer": "*",
+		"@jazzer.js/hooking": "*",
+		"@jazzer.js/instrumentor": "*"
+	},
+	"devDependencies": {},
+	"engines": {
+		"node": ">= 14.0.0",
+		"npm": ">= 7.0.0"
+	}
+}