Skip to content

omaidf/rscfuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
corpus
corpus
 
 
crashes
crashes
 
 
fuzz
fuzz
 
 
scripts
scripts
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

React Server Components Protocol Fuzzer

Coverage-guided fuzzer for React Server Components Flight protocol using Jazzer.js.

What This Fuzzes

Target: react-server-dom-webpack - React's Flight protocol implementation

The Flight protocol is the wire format React uses to communicate between server and client components. It handles:

  • Server Actions (form submissions, mutations)
  • Server-to-client data streaming
  • Client-to-server argument passing

Attack Surface

Function Direction What it does
decodeReply() client→server Deserialize arguments
decodeReplyFromAsyncIterable() client→server Streaming deserialization
createFromReadableStream() server→client Parse server response

Quick Start

npm install
npm run generate:seeds
npm run fuzz

Press Ctrl+C to stop. Crashes saved to crashes/.

Commands

Fuzzing

Command Target Description
npm run fuzz decodeReply() Main server-side fuzzer
npm run fuzz:stream decodeReplyFromAsyncIterable() Streaming input fuzzer
npm run fuzz:traversal decodeReply() Property path patterns ($N:path)
npm run fuzz:client createFromReadableStream() Client-side fuzzer

Analysis

Command Description
npm run crash:triage Analyze and prioritize crashes
npm run crash:replay <file> Replay a specific crash
npm run coverage Show corpus feature coverage

Project Structure

├── fuzz/
│   ├── FuzzFlightProtocol.js   # Server-side decodeReply
│   ├── FuzzFlightStream.js     # Streaming input
│   ├── FuzzColonTraversal.js   # Property path traversal
│   ├── FuzzClientStream.js     # Client-side parsing
│   └── flight.dict             # libFuzzer dictionary
├── corpus/
│   ├── protocol/               # Seeds for main fuzzer
│   ├── stream/                 # Seeds for streaming fuzzer
│   └── traversal/              # Seeds for traversal fuzzer
├── crashes/                    # Crash artifacts
└── scripts/
    ├── generateSeeds.js        # Seed generator
    ├── triageCrashes.js        # Crash analysis
    └── replayCrash.js          # Crash replay

Flight Protocol Reference

FormData Structure

"0" = payload (arguments)
"1" = chunk 1 (referenced by $1)
"2" = chunk 2 (referenced by $2)
...

Reference Syntax

Pattern Meaning
$1 Reference chunk 1
$1:a:b chunk1["a"]["b"]
$undefined undefined value
$Infinity Infinity
$B0 Blob reference
$T0 TypedArray reference

Seed Format

Seeds contain both chunks and payload:

byte 0:     num_chunks (1-5)
remaining:  chunk1 | chunk2 | ... | payload (split evenly)

The fuzzer can mutate both chunk content AND payload.

What Bugs This Finds

  • Property traversal crashes ($1:nonexistent:path)
  • Prototype pollution ($1:__proto__)
  • Parser edge cases
  • Type confusion
  • Client-side parsing bugs

Requirements

  • Node.js >= 18
  • npm

License

MIT

About

React Server Components Fuzzer

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages