CodeIntelligenceTesting
diff --git a/‎packages/bug-detectors/internal/remote-code-execution.ts‎
Lines changed: 54 additions & 26 deletions b/‎packages/bug-detectors/internal/remote-code-execution.ts‎
Lines changed: 54 additions & 26 deletions
@@ -14,33 +14,56 @@
  * limitations under the License.
  */
 
+import type { Context } from "vm";
+
 import {
+	getJazzerJsGlobal,
 	guideTowardsContainment,
 	reportAndThrowFinding,
 } from "@jazzer.js/core";
-import { callSiteId, registerBeforeHook } from "@jazzer.js/hooking";
+import { registerBeforeHook } from "@jazzer.js/hooking";
+
+const CANARY_NAME = "jaz_zer";
+
+// Global canary that fires when eval'd/Function'd code actually executes the
+// identifier, not when it merely appears in source text (no false positives on
+// quoted occurrences). Uses a getter so bare reads like `+ (jaz_zer) +` from
+// template-engine expression injection also trigger it.
+const canaryDescriptor: PropertyDescriptor = {
+	get() {
+		reportAndThrowFinding(
+			"Remote Code Execution\n" +
+				"    attacker-controlled code accessed globalThis.jaz_zer",
+		);
+	},
+	enumerable: false,
+	configurable: false,
+};
+
+Object.defineProperty(globalThis, CANARY_NAME, canaryDescriptor);
 
-const targetString = "jaz_zer";
+// In Jest, fuzz targets run inside a vm.Context sandbox with its own global
+// scope. The canary must be visible there too, or code compiled by the
+// sandbox's Function constructor won't resolve it.
+const vmContext = getJazzerJsGlobal<Context>("vmContext");
+if (vmContext) {
+	Object.defineProperty(vmContext, CANARY_NAME, canaryDescriptor);
+}
+
+// Guidance: before-hooks steer the fuzzer toward getting the canary name into
+// eval/Function bodies. Detection itself is handled entirely by the canary.
 
 registerBeforeHook(
 	"eval",
 	"",
 	false,
 	function beforeEvalHook(_thisPtr: unknown, params: string[], hookId: number) {
 		const code = params[0];
-		// This check will prevent runtime TypeErrors should the user decide to call Function with
-		// non-string arguments.
-		// noinspection SuspiciousTypeOfGuard
-		if (typeof code === "string" && code.includes(targetString)) {
-			reportAndThrowFinding(
-				"Remote Code Execution\n" + `    using eval:\n        '${code}'`,
-			);
+		// eval with non-string arguments is a no-op (returns the argument as-is),
+		// so guidance is only meaningful for actual strings.
+		if (typeof code === "string") {
+			guideTowardsContainment(code, CANARY_NAME, hookId);
 		}
-
-		// Since we do not hook eval using the hooking framework, we have to recompute the
-		// call site ID on every call to eval. This shouldn't be an issue, because eval is
-		// considered evil and should not be called too often, or even better -- not at all!
-		guideTowardsContainment(code, targetString, hookId);
 	},
 );
 
@@ -53,19 +76,24 @@ registerBeforeHook(
 		params: string[],
 		hookId: number,
 	) {
-		if (params.length > 0) {
-			const functionBody = params[params.length - 1];
+		if (params.length === 0) return;
 
-			// noinspection SuspiciousTypeOfGuard
-			if (typeof functionBody === "string") {
-				if (functionBody.includes(targetString)) {
-					reportAndThrowFinding(
-						"Remote Code Execution\n" +
-							`    using Function:\n        '${functionBody}'`,
-					);
-				}
-				guideTowardsContainment(functionBody, targetString, hookId);
-			}
+		// The Function constructor coerces every argument to string via ToString().
+		// Template engines (e.g. Handlebars) pass non-string objects like SourceNode
+		// whose toString() yields executable code. Coerce here to match V8's
+		// behavior so guidance works for those cases too.
+		const lastParam = params[params.length - 1];
+		if (lastParam == null) return;
+
+		let bodyStr: string;
+		try {
+			bodyStr = String(lastParam);
+		} catch {
+			// toString() would also throw inside the Function constructor, so
+			// no code will be compiled, no RCE risk, no guidance needed.
+			return;
 		}
+
+		guideTowardsContainment(bodyStr, CANARY_NAME, hookId);
 	},
 );