2026-05-17 16:37:20 -05:00
|
|
|
//! Concrete [`super::FrameworkAdapter`] implementations.
|
|
|
|
|
//!
|
2026-05-17 18:51:13 -05:00
|
|
|
//! Phase 03 (Track J.1) landed the first four adapters — one per
|
|
|
|
|
//! language carrying the `Cap::DESERIALIZE` corpus. Phase 04 (Track
|
|
|
|
|
//! J.2) adds five more, one per template engine carrying the
|
|
|
|
|
//! `Cap::SSTI` corpus: Jinja2 (Python), ERB (Ruby), Twig (PHP),
|
|
|
|
|
//! Thymeleaf (Java), Handlebars (JavaScript). Each adapter detects
|
|
|
|
|
//! the language's canonical sink inside a function body and stamps a
|
|
|
|
|
//! [`super::FrameworkBinding`] with
|
2026-05-17 16:37:20 -05:00
|
|
|
//! [`crate::evidence::EntryKind::Function`]. Track L.1+ will register
|
2026-05-17 18:51:13 -05:00
|
|
|
//! the route / framework adapters; the per-cap sink adapters live
|
|
|
|
|
//! here so the per-language verticals can ship independently.
|
2026-05-17 16:37:20 -05:00
|
|
|
|
|
|
|
|
pub mod java_deserialize;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub mod java_thymeleaf;
|
|
|
|
|
pub mod js_handlebars;
|
2026-05-17 22:32:44 -05:00
|
|
|
pub mod ldap_php;
|
|
|
|
|
pub mod ldap_python;
|
|
|
|
|
pub mod ldap_spring;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub mod php_twig;
|
2026-05-17 16:37:20 -05:00
|
|
|
pub mod php_unserialize;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub mod python_jinja2;
|
2026-05-17 16:37:20 -05:00
|
|
|
pub mod python_pickle;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub mod ruby_erb;
|
2026-05-17 16:37:20 -05:00
|
|
|
pub mod ruby_marshal;
|
2026-05-17 20:39:12 -05:00
|
|
|
pub mod xxe_go;
|
|
|
|
|
pub mod xxe_java;
|
|
|
|
|
pub mod xxe_php;
|
|
|
|
|
pub mod xxe_python;
|
|
|
|
|
pub mod xxe_ruby;
|
2026-05-17 16:37:20 -05:00
|
|
|
|
|
|
|
|
pub use java_deserialize::JavaDeserializeAdapter;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub use java_thymeleaf::JavaThymeleafAdapter;
|
|
|
|
|
pub use js_handlebars::JsHandlebarsAdapter;
|
2026-05-17 22:32:44 -05:00
|
|
|
pub use ldap_php::LdapPhpAdapter;
|
|
|
|
|
pub use ldap_python::LdapPythonAdapter;
|
|
|
|
|
pub use ldap_spring::LdapSpringAdapter;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub use php_twig::PhpTwigAdapter;
|
2026-05-17 16:37:20 -05:00
|
|
|
pub use php_unserialize::PhpUnserializeAdapter;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub use python_jinja2::PythonJinja2Adapter;
|
2026-05-17 16:37:20 -05:00
|
|
|
pub use python_pickle::PythonPickleAdapter;
|
2026-05-17 18:51:13 -05:00
|
|
|
pub use ruby_erb::RubyErbAdapter;
|
2026-05-17 16:37:20 -05:00
|
|
|
pub use ruby_marshal::RubyMarshalAdapter;
|
2026-05-17 20:39:12 -05:00
|
|
|
pub use xxe_go::XxeGoAdapter;
|
|
|
|
|
pub use xxe_java::XxeJavaAdapter;
|
|
|
|
|
pub use xxe_php::XxePhpAdapter;
|
|
|
|
|
pub use xxe_python::XxePythonAdapter;
|
|
|
|
|
pub use xxe_ruby::XxeRubyAdapter;
|
2026-05-17 16:37:20 -05:00
|
|
|
|
|
|
|
|
/// True when any callee in `summary.callees` matches `predicate`.
|
|
|
|
|
fn any_callee_matches(
|
|
|
|
|
summary: &crate::summary::FuncSummary,
|
|
|
|
|
predicate: impl Fn(&str) -> bool,
|
|
|
|
|
) -> bool {
|
|
|
|
|
summary
|
|
|
|
|
.callees
|
|
|
|
|
.iter()
|
|
|
|
|
.any(|c| predicate(c.name.as_str()))
|
|
|
|
|
}
|
