[pitboss] phase 02: M2 — Python end-to-end excellence with all hardening baked in

tests/dynamic_fixtures/python/cmdi_positive.py

@@ -0,0 +1,19 @@
+"""Command injection — positive fixture.
+
+Vulnerable function: passes user input directly to shell=True subprocess.
+Expected verdict: Confirmed (payload "; echo NYX_PWN_CMDI" echoes the marker).
+"""
+import subprocess
+
+
+def run_ping(host):
+    """Vulnerable: user input in shell command."""
+    result = subprocess.run(
+        "ping -c 1 " + host,
+        shell=True,
+        capture_output=True,
+        text=True,
+        timeout=5,
+    )
+    print(result.stdout)
+    print(result.stderr, end="")