Skip to main content

Crate jsdet_core

Crate jsdet_core 

Source
Expand description

§jsdet — JavaScript Detonation Engine

Sandboxed JavaScript execution for security analysis.

§What it does

Executes JavaScript in a QuickJS engine compiled to WebAssembly, running inside wasmtime. Every API call is intercepted, observed, and controllable. Nothing escapes.

§How to use it

use std::sync::Arc;
use jsdet_core::{CompiledModule, SandboxConfig, EmptyBridge};

let module = CompiledModule::new().unwrap();
let result = module.execute(
    &["console.log('hello')".into()],
    Arc::new(EmptyBridge),
    &SandboxConfig::default(),
).unwrap();

for obs in &result.observations {
    println!("{obs:?}");
}

§Consumers

  • Sear (URL detonation): uses jsdet-browser bridges for document/window/fetch
  • Soleno (extension analysis): uses jsdet-chrome-ext bridges for chrome.* APIs
  • Your tool: implement the Bridge trait to provide any API surface

§Architecture

┌─────────────────────────────────────────────┐
│ Your Rust application                       │
│                                             │
│  CompiledModule::execute(scripts, bridge)   │
│       │                                     │
│       ▼                                     │
│  ┌─────────────────────────────────┐        │
│  │ wasmtime instance               │        │
│  │  ┌───────────────────────┐      │        │
│  │  │ QuickJS (WASM)        │      │        │
│  │  │                       │      │        │
│  │  │ JS calls fetch() ─────┼──────┼──► Bridge::call("fetch", args)
│  │  │                  ◄────┼──────┼─── returns fake response
│  │  │                       │      │        │
│  │  │ JS calls eval() ──────┼──────┼──► Observation::DynamicCodeExec
│  │  │                       │      │        │
│  │  └───────────────────────┘      │        │
│  │  Linear memory: isolated        │        │
│  │  Fuel metering: bounded         │        │
│  │  Syscalls: zero                 │        │
│  └─────────────────────────────────┘        │
│                                             │
│  Vec<Observation> ← what the code DID       │
└─────────────────────────────────────────────┘

Re-exports§

pub use bridge::Bridge;
pub use bridge::CompositeBridge;
pub use bridge::EmptyBridge;
pub use bridge::Hook;
pub use bridge::HookedBridge;
pub use config::SandboxConfig;
pub use context::ContextId;
pub use context::ContextMessage;
pub use context::MessageBus;
pub use error::Error;
pub use error::Result;
pub use observation::Observation;
pub use observation::TaintFlow;
pub use observation::TaintLabel;
pub use observation::TaintedValue;
pub use observation::Value;
pub use sandbox::CompiledModule;
pub use sandbox::ExecutionResult;
pub use taint::Severity;
pub use taint::Sink;
pub use taint::Source;
pub use taint::TaintTracker;
pub use taint::propagate_concat;
pub use taint::propagate_json_parse;
pub use taint::propagate_json_stringify;
pub use taint::propagate_replace;
pub use taint::propagate_slice;
pub use coverage::CoverageAccumulator;
pub use coverage::CoverageReport;
pub use persistent::PersistentSandbox;
pub use streaming::BatchCollector;
pub use streaming::ControlFlow;
pub use streaming::CountingSink;
pub use streaming::EarlyStopSink;
pub use streaming::ObservationSink;
pub use vulnir_producer::JsdetProducer;
pub use vulnir_producer::ToVulnIR;
pub use vulnir_producer::to_vulnir_graph;

Modules§

bridge
config
context
coverage
error
nested_wasm
observation
persistent
sandbox
streaming
taint
Taint tracking for the jsdet core.
timer
vulnir_producer
VulnIR producer implementation for jsdet.