{"id":13495083,"url":"https://github.com/fuzzitdev/jsfuzz","last_synced_at":"2025-03-28T16:31:20.806Z","repository":{"id":48521573,"uuid":"215640586","full_name":"fuzzitdev/jsfuzz","owner":"fuzzitdev","description":"coverage guided fuzz testing for javascript","archived":true,"fork":false,"pushed_at":"2021-04-30T03:40:55.000Z","size":158,"stargazers_count":607,"open_issues_count":6,"forks_count":48,"subscribers_count":14,"default_branch":"master","last_synced_at":"2024-10-31T10:36:26.464Z","etag":null,"topics":["fuzz-testing","fuzzer","fuzzing","javascript","testing"],"latest_commit_sha":null,"homepage":"https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/fuzzitdev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"github":"yevgenypats"}},"created_at":"2019-10-16T20:40:29.000Z","updated_at":"2024-10-27T20:27:29.000Z","dependencies_parsed_at":"2022-09-15T05:40:41.284Z","dependency_job_id":null,"html_url":"https://github.com/fuzzitdev/jsfuzz","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fuzzitdev%2Fjsfuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fuzzitdev%2Fjsfuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fuzzitdev%2Fjsfuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/fuzzitdev%2Fjsfuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/fuzzitdev","download_url":"https://codeload.github.com/fuzzitdev/jsfuzz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246062743,"owners_count":20717682,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["fuzz-testing","fuzzer","fuzzing","javascript","testing"],"created_at":"2024-07-31T19:01:31.049Z","updated_at":"2025-03-28T16:31:19.961Z","avatar_url":"https://github.com/fuzzitdev.png","language":"TypeScript","readme":"\nfuzzit.dev was [acquired](https://about.gitlab.com/press/releases/2020-06-11-gitlab-acquires-peach-tech-and-fuzzit-to-expand-devsecops-offering.html) by GitLab and the new home for this repo is [here](https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers/jsfuzz)\n\n# Jsfuzz: coverage-guided fuzz testing for Javascript\n\nJsfuzz is coverage-guided [fuzzer](https://developer.mozilla.org/en-US/docs/Glossary/Fuzzing) for testing javascript/nodejs packages.\n\nFuzzing for safe languages like nodejs is a powerful strategy for finding bugs like unhandled exceptions, logic bugs,\nsecurity bugs that arise from both logic bugs and Denial-of-Service caused by hangs and excessive memory usage.\n\nFuzzing can be seen as a powerful and efficient strategy in real-world software in addition to classic unit-tests.\n\n## Usage\n\n### Fuzz Target\n\nThe first step is to implement the following function (also called a fuzz target):\n\n```javascript\nfunction fuzz(buf) {\n  // call your package with buf  \n}\nmodule.exports = {\n    fuzz\n};\n```\n\nFeatures of the fuzz target:\n\n* Jsfuzz will call the fuzz target in an infinite loop with random data (according to the coverage guided algorithm) passed to `buf`( in a separate process).\n* The function must catch and ignore any expected exceptions that arise when passing invalid input to the tested package.\n* The fuzz target must call the test function/library with with the passed buffer or a transformation on the test buffer \nif the structure is different or from different type.\n* Fuzz functions can also implement application level checks to catch application/logical bugs - For example: \ndecode the buffer with the testable library, encode it again, and check that both results are equal. To communicate the results\nthe result/bug the function should throw an exception.\n* jsfuzz will report any unhandled exceptions as crashes as well as inputs that hit the memory limit specified to jsfuzz\nor hangs/they run more the the specified timeout limit per testcase.\n\nHere is an example of a simple fuzz function for `jpeg-js` module.\n\n```javascript\nconst jpeg = require('jpeg-js');\n\nfunction fuzz(buf) {\n    try {\n        jpeg.decode(buf);\n    } catch (e) {\n        // Those are \"valid\" exceptions. we can't catch them in one line as\n        // jpeg-js doesn't export/inherit from one exception class/style.\n        if (e.message.indexOf('JPEG') !== -1 ||\n            e.message.indexOf('length octect') !== -1 ||\n            e.message.indexOf('Failed to') !== -1 ||\n            e.message.indexOf('DecoderBuffer') !== -1 ||\n            e.message.indexOf('invalid table spec') !== -1 ||\n            e.message.indexOf('SOI not found') !== -1) {\n        } else {\n            throw e;\n        }\n    }\n}\n\nmodule.exports = {\n    fuzz\n};\n```\n\n### Running\n\nThe next step is to download js-fuzz and then run your fuzzer\n\n```bash\nnpm i -g jsfuzz\njsfuzz ./examples/jpeg/fuzz.js corpus\n\n# Output:\n#0 READ units: 0\n#1 NEW     cov: 61 corp: 0 exec/s: 1 rss: 23.37 MB\n#23320 PULSE     cov: 61 corp: 1 exec/s: 10614 rss: 35.3 MB\n#96022 NEW     cov: 70 corp: 1 exec/s: 11320 rss: 129.95 MB\n#96971 NEW     cov: 78 corp: 2 exec/s: 10784 rss: 129.95 MB\n#97046 NEW     cov: 79 corp: 3 exec/s: 9375 rss: 129.95 MB\n#97081 NEW     cov: 81 corp: 4 exec/s: 11666 rss: 129.95 MB\n#97195 NEW     cov: 93 corp: 5 exec/s: 9500 rss: 129.95 MB\n#97216 NEW     cov: 97 corp: 6 exec/s: 10500 rss: 129.95 MB\n#97238 NEW     cov: 102 corp: 7 exec/s: 11000 rss: 129.95 MB\n#97303 NEW     cov: 108 corp: 8 exec/s: 10833 rss: 129.96 MB\n#97857 PULSE     cov: 108 corp: 9 exec/s: 225 rss: 129.96 MB\n#97857 PULSE     cov: 108 corp: 9 exec/s: 0 rss: 940.97 MB\n#97857 PULSE     cov: 108 corp: 9 exec/s: 0 rss: 1566.01 MB\n#97857 PULSE     cov: 108 corp: 9 exec/s: 0 rss: 2053.49 MB\nMEMORY OOM: exceeded 2048 MB. Killing worker\nWorker killed\ncrash was written to crash-819587841e3c275338593b0d195b6163d5208866870e2abf3be8cfc781d2688d\ncrash(hex)=ffd8ffc09dfdb0ffff0e5296bd7fbbc4f9579096bd7fbbfc0e80d50000ffff36fa400100236701bf73ffaf8003a57f097f5e000000008023c4f9579096bd7fbb008000001500b34e8c018fda5212\n```\n\nThis example quickly finds an infinite hang which takes all the memory in `jpeg-js`.\n\n### Corpus\n\nJsfuzz will generate and test various inputs in an infinite loop. `corpus` is optional directory and will be used to\nsave the generated testcases so later runs can be started from the same point and provided as seed corpus.\n\nJsFuzz can also start with an empty directory (i.e no seed corpus) though some valid test-cases in the seed corpus\nmay speed up the fuzzing substantially.  \n\njsfuzz tries to mimic some of the arguments and output style from [libFuzzer](https://llvm.org/docs/LibFuzzer.html).\n\nMore fuzz targets examples (for real and popular libraries) are located under the examples directory and\nbugs that were found using those targets are listed in the trophies section.\n\n### Coverage\n\nCoverage in Istanbul/NYC format is written to .nyc_output/out.json It can be viewer with `nyc` cli. For example:\n\n```bash\nnyc report --reporter=html --exclude-node-modules=false\n```\n\nThis will save the html report to `coverage` directory\n\n## Other languages\n\nCurrently this library is also ported to python via [pythonfuzz](https://github.com/fuzzitdev/pythonfuzz)\n\n## Credits \u0026 Acknowledgments\n\njsfuzz logic is heavily based on [go-fuzz](https://github.com/dvyukov/go-fuzz) originally developed by [Dmitry Vyukov's](https://twitter.com/dvyukov).\nWhich is in turn heavily based on [Michal Zalewski](https://twitter.com/lcamtuf) [AFL](http://lcamtuf.coredump.cx/afl/).\n\nA previous take on that was done by https://github.com/connor4312/js-fuzz with a bit different design, coverage and\ninterface but it looks like it is currently unmaintained.\n\nFor coverage jsfuzz is using [istanbuljs](https://istanbul.js.org) instrumentation and coverage library. \n\n\n## Contributions\n\nContributions are welcome!:) There are still a lot of things to improve, and tests and features to add. We will slowly post those in the\nissues section. Before doing any major contribution please open an issue so we can discuss and help guide the process before\nany unnecessary work is done.\n\n\n## Trophies\n* [jpeg-js: OOM/DoS](https://github.com/eugeneware/jpeg-js/issues/53)\n* [@webassemblyjs/wast-parser: Crash/TypeError](https://github.com/xtuc/webassemblyjs/issues/669)\n* [decompress: Crash/TypeError ](https://github.com/kevva/decompress/issues/72)\n* [qs: logic bug/inequality](https://github.com/ljharb/qs/issues/340)\n* [js-yaml: Crash/TypeError](https://github.com/nodeca/js-yaml/issues/524)\n* [js-yaml: Crash/TypeError](https://github.com/nodeca/js-yaml/issues/525)\n* [asciidoctor: Hang/DoS](https://github.com/asciidoctor/asciidoctor/issues/3472)\n* [deanm/omggif: Crash/TypeError](https://github.com/deanm/omggif/issues/41)\n* [Leonidas-from-XIV/node-xml2js: Crash/TypeError](https://github.com/Leonidas-from-XIV/node-xml2js/issues/544)\n\n**Feel free to add bugs that you found with jsfuzz to this list via pull-request**\n","funding_links":["https://github.com/sponsors/yevgenypats"],"categories":["Fuzzing","TypeScript","\u003ca id=\"683b645c2162a1fce5f24ac2abfa1973\"\u003e\u003c/a\u003e漏洞\u0026\u0026漏洞管理\u0026\u0026漏洞发现/挖掘\u0026\u0026漏洞开发\u0026\u0026漏洞利用\u0026\u0026Fuzzing"],"sub_categories":["功能"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffuzzitdev%2Fjsfuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffuzzitdev%2Fjsfuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffuzzitdev%2Fjsfuzz/lists"}