apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-21 20:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

refactor(dynamic): expand Go framework support with updated route dispatch logic, enhance stub generation, and improve Go module management

Browse source
This commit is contained in:
elipeter 2026-05-26 09:18:20 -05:00
parent 68bdd30eca
commit 170d2028d0
9 changed files with 252 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

5
tests/dynamic_fixtures/go_frameworks/chi/vuln.go
View file

@ -6,6 +6,7 @@
package main
import (
"fmt"
"net/http"
"os/exec"
@ -14,7 +15,9 @@ import (
func Run(w http.ResponseWriter, r *http.Request) {
cmd := r.URL.Query().Get("cmd")
_ = exec.Command("sh", "-c", cmd).Run()
fmt.Print("__NYX_SINK_HIT__\n")
out, _ := exec.Command("sh", "-c", cmd).CombinedOutput()
fmt.Print(string(out))
_, _ = w.Write([]byte("ok"))
}

6
tests/dynamic_fixtures/go_frameworks/echo/vuln.go
View file

@ -6,6 +6,7 @@
package main
import (
"fmt"
"os/exec"
"github.com/labstack/echo/v4"
@ -13,7 +14,10 @@ import (
func Run(c echo.Context) error {
cmd := c.QueryParam("cmd")
return exec.Command("sh", "-c", cmd).Run()
fmt.Print("__NYX_SINK_HIT__\n")
out, err := exec.Command("sh", "-c", cmd).CombinedOutput()
fmt.Print(string(out))
return err
}
func main() {

6
tests/dynamic_fixtures/go_frameworks/fiber/vuln.go
View file

@ -6,6 +6,7 @@
package main
import (
"fmt"
"os/exec"
"github.com/gofiber/fiber/v2"
@ -13,7 +14,10 @@ import (
func Run(c *fiber.Ctx) error {
cmd := c.Query("cmd")
return exec.Command("sh", "-c", cmd).Run()
fmt.Print("__NYX_SINK_HIT__\n")
out, err := exec.Command("sh", "-c", cmd).CombinedOutput()
fmt.Print(string(out))
return err
}
func main() {

5
tests/dynamic_fixtures/go_frameworks/gin/vuln.go
View file

@ -7,6 +7,7 @@
package main
import (
"fmt"
"os/exec"
"github.com/gin-gonic/gin"
@ -14,7 +15,9 @@ import (
func Run(c *gin.Context) {
cmd := c.Query("cmd")
_ = exec.Command("sh", "-c", cmd).Run()
fmt.Print("__NYX_SINK_HIT__\n")
out, _ := exec.Command("sh", "-c", cmd).CombinedOutput()
fmt.Print(string(out))
}
func main() {

4
tests/sandbox_hardening_macos.rs
View file

@ -333,9 +333,7 @@ except Exception as exc:
"standard profile should not produce a hardening outcome",
);
if stdout.contains("xxe:network-denied") {
eprintln!(
"SKIP: host-level network policy produced EPERM outside sandbox-exec"
);
eprintln!("SKIP: host-level network policy produced EPERM outside sandbox-exec");
return;
}
// The probe should NOT report EPERM under the unwrapped run —

72
tests/stubs_e2e_per_lang.rs
View file

@ -545,7 +545,9 @@ fn python_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -607,7 +609,9 @@ fn python_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fixture =
@ -650,7 +654,9 @@ fn node_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -712,7 +718,9 @@ fn node_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fixture =
@ -755,7 +763,9 @@ fn php_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -819,7 +829,9 @@ fn php_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fixture =
@ -864,7 +876,9 @@ fn go_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -926,7 +940,9 @@ fn go_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fragment =
@ -1067,7 +1083,9 @@ fn ruby_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -1129,7 +1147,9 @@ fn ruby_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fixture =
@ -1274,7 +1294,9 @@ fn java_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -1430,7 +1452,9 @@ fn java_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fragment = std::fs::read_to_string(fixture_path("java/http/vuln/main.java.fragment"))
@ -1531,7 +1555,9 @@ fn rust_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -1602,7 +1628,9 @@ fn rust_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fragment = std::fs::read_to_string(fixture_path("rust/http/vuln/main.rs"))
@ -1947,7 +1975,9 @@ fn c_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -1999,7 +2029,9 @@ fn c_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fragment = std::fs::read_to_string(fixture_path("c/http/vuln/main.c.fragment"))
@ -2127,7 +2159,9 @@ fn cpp_http_stub_captures_attempted_outbound_via_shim_recorder() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let recording = stub
@ -2179,7 +2213,9 @@ fn cpp_http_shim_recorder_is_noop_without_log_env() {
}
let workdir = TempDir::new().expect("tempdir");
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else { return; };
let Some(stub) = start_http_stub(workdir.path(), stringify!(__NYX_HTTP_TEST__)) else {
return;
};
let endpoint = stub.endpoint();
let fragment = std::fs::read_to_string(fixture_path("cpp/http/vuln/main.cpp.fragment"))