-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug detectors: command injection #407
Conversation
fd6bc96
to
0e9f796
Compare
0047cca
to
0539bcf
Compare
One more thing. Could you please update the PR name and description and try to merge related changes into dedicated commits? |
e864058
to
4e6deef
Compare
ee1c423
to
4176b67
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks quite good! I only added a few comments regarding safe mode and disabling bug detectors. Could you please start some documentation on bug detectors in general and the available one in particular as well?
82c7d05
to
594488b
Compare
594488b
to
017b392
Compare
d74262d
to
2d39eb6
Compare
…leanup directories - fix: clean up helpers.js and add type annotations - fix: cleanup examples directory - feat: introduce a common interface to register a new bug detector - chore: rename command injection file - docs: add doc-strings to the bug-detector interface - chore: remove unnessary comment - refactor: formatting - refactor: break up long wrapper function into 2 pieces
- Also defer solving the problem of hooking functions used by Jazzer.js internally into the future
- change target string from "touch EVIL" to "jaz_zer" - some child_process methods need extra args on windows - test bugfix: fix "env" to not run all jest tests in fuzzing mode - jest runner prints the error; Jest returns "1" on failure - handle different exit codes in tests on Windows and Linux - split tests into general tests and tests for specific bug detectors
- use the new hooking framework internally for the command injection bug detector - always wrap the function for jest - improve naming, add comments, remove unused - ignore errors when hooking built-in functions - add a flag to disable bug detectors using patterns - add a config in the package.json of the bug detector example that uses custom hooks to detect a finding - clean the stack of the error messages properly
2d39eb6
to
a4fcd2b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great addition! Thanks for all the work you put into this PR.
This adds two features: 1) Jazzer.js now has a command injection bug detector; 2) the hooking framework now supports hooking builtin Node.js functions.