search

CodeIntelligenceTesting / jazzer.js

Coverage-guided, in-process fuzzing for Node.js
https://code-intelligence.com
Apache License 2.0
279 stars 22 forks source link

Simple fuzzing #766

Open c0ntradicti0n opened 5 months ago

c0ntradicti0n commented 5 months ago

Hello there,

I tried out a bunch of things and I have a question about the instrumentation.

taking this as a target:

module.exports.f = (s) => {
    if (s.indexOf( "a very long string") === 0 )  // VERSION A
    //if (s === "a very long string")             // VERSION B
        throw new Error("FOUND: " + s);
}

using this command:

npx \
    jazzer \
        jazzer-next.js \
        corpus_next \
        -i simple \
        --disable_bug_detectors prototype-pollution \
    -- \
        -create_missing_dirs=1 \
        -print_pcs=1  \
        -only_ascii=1 \
        -reload=1 \
        -jobs=10 \
        -fork=1 \
        -reduce_inputs=0 \
        -shrink=0 \
        -use_value_profile=1 \
        -prefer_small=0 \
        -max_len=5000 \
        -len_control=0 \
        -runs=-1 \
        -print_coverage=1 \
        -rss_limit_mb=20000 \
        -cross_over=0 \
        -data_flow_trace=1 \
        -collect_data_flow=1

and this harness:

const {f} = require("./simple")

module.exports.fuzz = async function (data) {
        f(data.toString())
};

the corpus contains one sample: "a string".

The wanted string or expected exception is in version B found very fast, that is nice, but with version A by using "indexOf" it runs forever and there no "interesting" samples are put in the corpus dir.

What is the difference or can I add other instrumentation to make it inspecting this too?

oetr commented 5 months ago

indexOf, among with a few other functions of the String class (e.g. startsWith, endsWith, includes) have to be instrumented in a way that the fuzzer can get register the string comparisons happening under the hood. To accomplish this, the Jazzer.js' instrumentor has to be extended.