The Node.js Thrift implementation uses Jazzer.js for fuzzing. Jazzer.js is a coverage-guided, in-process fuzzer for JavaScript that integrates with libFuzzer.
npm install --save-dev @jazzer.js/core
The Node.js Thrift implementation currently supports the following fuzz targets:
fuzz_parse_TJSONProtocol.js - fuzzes the deserialization of the JSON protocolfuzz_roundtrip_TJSONProtocol.js - fuzzes the roundtrip of the JSON protocol (serialize -> deserialize -> compare)fuzz_parse_TBinaryProtocol.js - fuzzes the deserialization of the Binary protocolfuzz_roundtrip_TBinaryProtocol.js - fuzzes the roundtrip of the Binary protocolfuzz_parse_TCompactProtocol.js - fuzzes the deserialization of the Compact protocolfuzz_roundtrip_TCompactProtocol.js - fuzzes the roundtrip of the Compact protocolTo run a fuzzer, use the Jazzer.js CLI:
npx jazzer ./fuzz_parse_TJSONProtocol.js --corpus=./corpus
Where:
--corpus points to a directory containing seed inputs (optional)You can use the corpus generator from the Rust implementation to generate initial corpus files that can be used with these Node.js fuzzers. For JSON protocol fuzzers, ensure the corpus contains valid JSON data.
To add a new fuzzer:
fuzz directoryfuzz_common.jsfuzz function that takes a Buffer parametercreateParserFuzzer or createRoundtripFuzzer with the appropriate protocol factoryExample:
const { createParserFuzzer } = require('./fuzz_common'); module.exports.fuzz = createParserFuzzer((transport) => { return new thrift.TJSONProtocol(transport); });
For more information about Jazzer.js and its options, see the Jazzer.js documentation.