bug detectors: track hooks of built-in modules

- in verbose mode, print module names with full path (for non built-in modules only) to make it easier to debug hooked functions

Author: oetr

examples/bug-detectors/path-traversal/fuzz.js

@@ -29,17 +29,20 @@ const { FuzzedDataProvider } = require("@jazzer.js/core");
 module.exports.fuzz = function (data) {
 	// Parse the buffer into a JSZip object. The buffer might have been obtained from an http-request.
 	// See https://stuk.github.io/jszip/documentation/howto/read_zip.html for some examples.
-	JSZip.loadAsync(data)
-		.then(function (zip) {
-			for (const file in zip.files) {
-				// We might want to extract the file from the zip archive and write it to disk.
-				// The loadAsync function should have sanitized the path already.
-				// Here we only construct the absolute path and trigger the path traversal bug.
-				// This issue was fixed in jszip 3.8.0.
-				path.join(__dirname, file);
-			}
-		})
-		.catch(function (err) {
-			// ignore broken zip files
-		});
+	return (
+		JSZip.loadAsync(data)
+			.then((zip) => {
+				for (const file in zip.files) {
+					// We might want to extract the file from the zip archive and write it to disk.
+					// The loadAsync function should have sanitized the path already.
+					// Here we only construct the absolute path and trigger the path traversal bug.
+					// This issue was fixed in jszip 3.8.0.
+					path.join(__dirname, file);
+				}
+			})
+			// eslint-disable-next-line @typescript-eslint/no-unused-vars
+			.catch(() => {
+				/* ignore broken zip files */
+			})
+	);
 };

examples/bug-detectors/path-traversal/package.json

@@ -7,8 +7,7 @@
 		"jszip": "3.7.1"
 	},
 	"scripts": {
-		"bugDetectors": "jazzer fuzz -i fuzz.js -i jszip --timeout=100000000 corpus -- -runs=10000000 -print_final_stats=1 -use_value_profile=1 -max_len=600",
-		"merge": "jazzer fuzz -i jszip --timeout=100000000 --corpus=new --corpus=corpus -- -runs=1 -use_value_profile=1 -merge=1",
+		"fuzz": "jazzer fuzz -i fuzz.js -i jszip corpus -- -runs=10000000 -print_final_stats=1 -use_value_profile=1 -max_len=600 -seed=123456789",
 		"dryRun": "jazzer fuzz --sync -x Error -- -runs=100000 -seed=123456789"
 	},
 	"devDependencies": {

package-lock.json

@@ -13,7 +13,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *
- * Examples showcasing the custom hooks API
  */
 
 export class Finding extends Error {}

packages/bug-detectors/findings.ts

@@ -19,7 +19,7 @@ import { guideTowardsContainment } from "@jazzer.js/fuzzer";
 import { registerBeforeHook } from "@jazzer.js/hooking";
 
 /**
- * Importing this file adds "before-hooks" for all functions in the built-in `child_process` module and guides
+ * Importing this file adds "before-hooks" for all functions in the built-in `fs`, `fs/promises`, and `path` module and guides
  * the fuzzer towards the uniquely chosen `goal` string `"../../jaz_zer"`. If the goal is found in the first argument
  * of any hooked function, a `Finding` is reported.
  */
@@ -36,16 +36,10 @@ const modulesToHook = [
 			"chown",
 			"chownSync",
 			"chmodSync",
-			"copyFile",
-			"copyFileSync",
-			"cp",
-			"cpSync",
 			"createReadStream",
 			"createWriteStream",
 			"exists",
 			"existsSync",
-			"link",
-			"linkSync",
 			"lchmod",
 			"lchmodSync",
 			"lchown",
@@ -69,8 +63,6 @@ const modulesToHook = [
 			"readdirSync",
 			"realpath",
 			"realpathSync",
-			"rename",
-			"renameSync",
 			"rm",
 			"rmSync",
 			"rmdir",
@@ -79,8 +71,6 @@ const modulesToHook = [
 			"statfs",
 			"statfsSync",
 			"statSync",
-			"symlink",
-			"symlinkSync",
 			"truncate",
 			"truncateSync",
 			"unlink",
@@ -101,11 +91,8 @@ const modulesToHook = [
 			"appendFile",
 			"chmod",
 			"chown",
-			"copyFile",
-			"cp",
 			"lchmod",
 			"lchown",
-			"link",
 			"lstat",
 			"lutimes",
 			"mkdir",
@@ -115,12 +102,10 @@ const modulesToHook = [
 			"readlink",
 			"readdir",
 			"realpath",
-			"rename",
 			"rm",
 			"rmdir",
 			"stat",
 			"statfs",
-			"symlink",
 			"truncate",
 			"unlink",
 			"utimes",

packages/bug-detectors/internal/path-traversal.ts

@@ -16,8 +16,7 @@
 	"main": "dist/index.js",
 	"types": "dist/index.d.js",
 	"dependencies": {
-		"@jazzer.js/fuzzer": "*",
-		"@jazzer.js/instrumentor": "*"
+		"@jazzer.js/fuzzer": "*"
 	},
 	"devDependencies": {},
 	"engines": {

packages/bug-detectors/package.json

@@ -63,7 +63,7 @@ export interface Options {
 	coverage: boolean; // Enables source code coverage report generation.
 	coverageDirectory: string;
 	coverageReporters: reports.ReportType[];
-	disableBugDetectors: RegExp[];
+	disableBugDetectors: string[];
 }
 
 interface FuzzModule {
@@ -100,7 +100,9 @@ export async function initFuzzing(options: Options) {
 	// above. However, the path the bug detectors must be the compiled path. For this reason we decided to load them
 	// using this function, which loads each bug detector relative to the bug-detectors directory. E.g., in Jazzer
 	// (without the .js) there is no distinction between custom hooks and bug detectors.
-	await loadBugDetectors(options.disableBugDetectors);
+	await loadBugDetectors(
+		options.disableBugDetectors.map((pattern: string) => new RegExp(pattern))
+	);
 
 	// Built-in functions cannot be hooked by the instrumentor, so we manually hook them here.
 	await hookBuiltInFunctions(hooking.hookManager);
@@ -239,7 +241,7 @@ function stopFuzzing(
 ) {
 	const stopFuzzing = sync ? Fuzzer.stopFuzzing : Fuzzer.stopFuzzingAsync;
 	if (process.env.JAZZER_DEBUG) {
-		hooking.trackedHooks.categorizeUnknown(HookManager.hooks).print();
+		hooking.hookTracker.categorizeUnknown(HookManager.hooks).print();
 	}
 	// Generate a coverage report in fuzzing mode (non-jest). The coverage report for our jest-runner is generated
 	// by jest internally (as long as '--coverage' is set).

packages/core/core.ts

@@ -14,47 +14,136 @@
  * limitations under the License.
  */
 
-/*eslint @typescript-eslint/no-explicit-any: 0 */
+export interface TrackedHook {
+	target: string;
+	pkg: string;
+}
 
-class hookTracker {
-	public applied: Set<string> = new Set();
-	public available: Set<string> = new Set();
-	public notApplied: Set<string> = new Set();
+// HookTracker keeps track of hooks that were applied, are available, and were not applied.
+// This is helpful when debugging custom hooks and bug detectors.
+class HookTracker {
+	private _applied = new HookTable();
+	private _available = new HookTable();
+	private _notApplied = new HookTable();
 
 	print() {
 		console.log("DEBUG: [Hook] Summary:");
-		console.log("DEBUG: [Hook]    Not applied:");
-		[...this.notApplied].sort().forEach((hook) => {
-			console.log(`DEBUG: [Hook]      ${hook}`);
+		console.log("DEBUG: [Hook]    Not applied: " + this._notApplied.length);
+		this._notApplied.serialize().forEach((hook) => {
+			console.log(`DEBUG: [Hook] not applied: ${hook.pkg} -> ${hook.target}`);
 		});
-		console.log("DEBUG: [Hook]    Applied:");
-		[...this.applied].sort().forEach((hook) => {
-			console.log(`DEBUG: [Hook]      ${hook}`);
+		console.log("DEBUG: [Hook]    Applied: " + this._applied.length);
+		this._applied.serialize().forEach((hook) => {
+			console.log(`DEBUG: [Hook] applied:     ${hook.pkg} -> ${hook.target}`);
 		});
-		console.log("DEBUG: [Hook]    Available:");
-		[...this.available].sort().forEach((hook) => {
-			console.log(`DEBUG: [Hook]      ${hook}`);
+		console.log("DEBUG: [Hook]    Available: " + this._available.length);
+		this._available.serialize().forEach((hook) => {
+			console.log(`DEBUG: [Hook] available:   ${hook.pkg} -> ${hook.target}`);
 		});
 	}
 
 	categorizeUnknown(requestedHooks: Hook[]): this {
 		requestedHooks.forEach((hook) => {
-			if (!this.applied.has(hook.target) && !this.available.has(hook.target)) {
-				this.notApplied.add(hook.target);
+			if (
+				!this._applied.has(hook.pkg, hook.target) &&
+				!this._available.has(hook.pkg, hook.target)
+			) {
+				this.addNotApplied(hook.pkg, hook.target);
 			}
 		});
 		return this;
 	}
 
 	clear() {
-		this.applied.clear();
-		this.notApplied.clear();
-		this.available.clear();
+		this._applied.clear();
+		this._notApplied.clear();
+		this._available.clear();
+	}
+
+	addApplied(pkg: string, target: string) {
+		this._applied.add(pkg, target);
+	}
+
+	addAvailable(pkg: string, target: string) {
+		this._available.add(pkg, target);
+	}
+
+	addNotApplied(pkg: string, target: string) {
+		this._notApplied.add(pkg, target);
+	}
+
+	get applied(): TrackedHook[] {
+		return this._applied.serialize();
+	}
+
+	get available(): TrackedHook[] {
+		return this._available.serialize();
+	}
+
+	get notApplied(): TrackedHook[] {
+		return this._notApplied.serialize();
 	}
 }
 
-export const trackedHooks = new hookTracker();
+// Stores package names and names of functions of interest (targets) from that package  [packageName0 -> [target0, ...], ...].
+// This structure is used to keep track of all functions seen during instrumentation and execution of the fuzzing run,
+// to determine which hooks have been applied, are available, and have not been applied.
+class HookTable {
+	hooks: Map<string, Set<string>> = new Map();
+
+	add(pkg: string, target: string) {
+		if (!this.hooks.has(pkg)) {
+			this.hooks.set(pkg, new Set());
+		}
+		this.hooks.get(pkg)?.add(target);
+	}
 
+	has(pkg: string, target: string) {
+		if (!this.hooks.has(pkg)) {
+			return false;
+		}
+		return this.hooks.get(pkg)?.has(target);
+	}
+
+	serialize(): TrackedHook[] {
+		const result: TrackedHook[] = [];
+		for (const [pkg, targets] of [...this.hooks].sort()) {
+			for (const target of [...targets].sort()) {
+				result.push({ pkg: pkg, target: target });
+			}
+		}
+		return result;
+	}
+
+	clear() {
+		this.hooks.clear();
+	}
+
+	get length() {
+		let size = 0;
+		for (const targets of this.hooks.values()) {
+			size += targets.size;
+		}
+		return size;
+	}
+}
+
+export function logHooks(hooks: Hook[]) {
+	hooks.forEach((hook) => {
+		if (process.env.JAZZER_DEBUG) {
+			console.log(
+				`DEBUG: Applied %s-hook in %s#%s`,
+				HookType[hook.type],
+				hook.pkg,
+				hook.target
+			);
+		}
+	});
+}
+
+export const hookTracker = new HookTracker();
+
+/*eslint @typescript-eslint/no-explicit-any: 0 */
 export enum HookType {
 	Before,
 	After,

packages/hooking/hook.ts

@@ -21,6 +21,8 @@ import {
 	HookFn,
 	HookType,
 	ReplaceHookFn,
+	logHooks,
+	hookTracker,
 } from "./hook";
 
 export class MatchingHooksResult {
@@ -247,5 +249,9 @@ export async function hookBuiltInFunction(hook: Hook): Promise<void> {
 			const result: unknown = originalFn(...args);
 			return (hook.hookFunction as AfterHookFn)(null, args, id, result);
 		};
+	} else {
+		throw new Error(`Unknown hook type ${hook.type}`);
 	}
+	logHooks([hook]);
+	hookTracker.addApplied(hook.pkg, hook.target);
 }