[pitboss/grind] deferred session-0010 (20260522T163126Z-7d60)

2026-06-15 20:05:13 +02:00 · 2026-05-22 15:35:38 -05:00 · 2026-05-22 15:35:38 -05:00 · 089fe3556a
commit 089fe3556a
parent 2c61324784
3 changed files with 579 additions and 5 deletions
--- a/tests/data_exfil_corpus.rs
+++ b/tests/data_exfil_corpus.rs
@ -149,8 +149,9 @@ mod e2e_data_exfil {
                Lang::Ruby => "ruby",
                Lang::JavaScript => "js",
                Lang::Java => "java",
+                Lang::Php => "php",
                _ => unreachable!(
-                    "DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java"
+                    "DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php"
                ),
            })
            .join(fixture);
@ -195,8 +196,9 @@ mod e2e_data_exfil {
            Lang::Ruby => "ruby",
            Lang::JavaScript => "node",
            Lang::Java => "javac",
+            Lang::Php => "php",
            _ => unreachable!(
-                "DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java"
+                "DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php"
            ),
        };
        if !command_available(required) {
@ -366,4 +368,40 @@ mod e2e_data_exfil {
            "Java DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
        );
    }
+
+    /// PHP pair, same shape as Python + Ruby + JavaScript + Java.  The
+    /// vuln fixture calls `@file_get_contents("http://" . $host . "/...")`;
+    /// the harness installs a stream-wrapper override for the `http`
+    /// scheme that parses the URL host via `parse_url(PHP_URL_HOST)`,
+    /// emits a `ProbeKind::OutboundNetwork`, and returns an empty
+    /// stream.  `OutboundHostNotIn` fires for the attacker payload.
+    /// The benign fixture's `in_array($host, ALLOWLIST)` guard
+    /// short-circuits before `file_get_contents` for non-loopback
+    /// payloads, so no probe fires.  Skips when `php` is not on PATH.
+    #[test]
+    fn php_vuln_confirms_via_run_spec() {
+        let Some(outcome) = run(Lang::Php, "vuln.php", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_some(),
+            "PHP DATA_EXFIL vuln must confirm via run_spec; got {outcome:?}",
+        );
+        let diff = outcome
+            .differential
+            .as_ref()
+            .expect("confirmed run must carry a DifferentialOutcome");
+        assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
+    }
+
+    #[test]
+    fn php_benign_does_not_confirm_via_run_spec() {
+        let Some(outcome) = run(Lang::Php, "benign.php", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_none(),
+            "PHP DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
+        );
+    }
 }
--- a/tests/unauthorized_id_corpus.rs
+++ b/tests/unauthorized_id_corpus.rs
@ -140,8 +140,9 @@ mod e2e_unauthorized_id {
                Lang::Ruby => "ruby",
                Lang::JavaScript => "js",
                Lang::Java => "java",
+                Lang::Php => "php",
                _ => unreachable!(
-                    "UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java"
+                    "UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php"
                ),
            })
            .join(fixture);
@ -186,8 +187,9 @@ mod e2e_unauthorized_id {
            Lang::Ruby => "ruby",
            Lang::JavaScript => "node",
            Lang::Java => "javac",
+            Lang::Php => "php",
            _ => unreachable!(
-                "UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java"
+                "UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php"
            ),
        };
        if !command_available(required) {
@ -351,4 +353,38 @@ mod e2e_unauthorized_id {
            "Java UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
        );
    }
+
+    /// PHP pair, same shape as Python + Ruby + JavaScript + Java.  The
+    /// vuln fixture's `$STORE[$ownerId]` materialises a record for any
+    /// owner_id; the harness emits `ProbeKind::IdorAccess` and
+    /// `IdorBoundaryCrossed` fires for `bob`.  The benign fixture's
+    /// `if ($ownerId !== CALLER_ID) return null;` short-circuit clears
+    /// the predicate for the non-caller payload.  Skips when `php` is
+    /// not on PATH.
+    #[test]
+    fn php_vuln_confirms_via_run_spec() {
+        let Some(outcome) = run(Lang::Php, "vuln.php", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_some(),
+            "PHP UNAUTHORIZED_ID vuln must confirm via run_spec; got {outcome:?}",
+        );
+        let diff = outcome
+            .differential
+            .as_ref()
+            .expect("confirmed run must carry a DifferentialOutcome");
+        assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
+    }
+
+    #[test]
+    fn php_benign_does_not_confirm_via_run_spec() {
+        let Some(outcome) = run(Lang::Php, "benign.php", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_none(),
+            "PHP UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
+        );
+    }
 }