[pitboss/grind] deferred session-0011 (20260520T233019Z-6958)

2026-06-27 20:29:39 +02:00 · 2026-05-21 06:40:08 -05:00 · 2026-05-21 06:40:08 -05:00 · 227675021b
commit 227675021b
parent 280121607e
5 changed files with 115 additions and 8 deletions
--- a/src/dynamic/differential.rs
+++ b/src/dynamic/differential.rs
@ -66,6 +66,29 @@ pub fn build_outcome(
    }
 }

+/// Build a self-confirming [`DifferentialOutcome`] for OOB-nonce payloads.
+///
+/// When a payload carries
+/// [`crate::dynamic::corpus::CuratedPayload::oob_nonce_slot`] = `true` and
+/// the [`crate::dynamic::oob::OobListener`] observed the per-finding nonce
+/// callback, the OOB observation is independent network-level evidence
+/// that the sink fired.  A benign URL structurally cannot hit a per-
+/// finding nonce, so no paired benign control is required.  The runner
+/// emits this outcome with [`DifferentialVerdict::ConfirmedProvenOob`]
+/// in place of the usual two-payload differential rule.
+pub fn build_oob_self_confirmed_outcome(
+    vuln_label: &str,
+    vuln_probes: &[SinkProbe],
+) -> DifferentialOutcome {
+    DifferentialOutcome {
+        verdict: DifferentialVerdict::ConfirmedProvenOob,
+        vuln_label: vuln_label.to_owned(),
+        benign_label: String::new(),
+        vuln_probes: vuln_probes.iter().map(sink_probe_to_record).collect(),
+        benign_probes: Vec::new(),
+    }
+}
+
 fn sink_probe_to_record(p: &SinkProbe) -> DifferentialProbeRecord {
    use crate::dynamic::probe::ProbeArg;
    DifferentialProbeRecord {
@ -108,6 +131,25 @@ mod tests {
        assert_eq!(evaluate(false, true), DifferentialVerdict::ReversedDifferential);
    }

+    #[test]
+    fn oob_self_confirmed_outcome_carries_only_vuln_trace() {
+        use crate::dynamic::probe::{ProbeArg, ProbeKind, ProbeWitness, SinkProbe};
+        let vuln = vec![SinkProbe {
+            sink_callee: "lxml.etree.XMLParser.parse".into(),
+            args: vec![ProbeArg::String("<!DOCTYPE … &xxe;".into())],
+            captured_at_ns: 1,
+            payload_id: "xxe-python-oob-nonce".into(),
+            kind: ProbeKind::Normal,
+            witness: ProbeWitness::empty(),
+        }];
+        let outcome = build_oob_self_confirmed_outcome("xxe-python-oob-nonce", &vuln);
+        assert_eq!(outcome.verdict, DifferentialVerdict::ConfirmedProvenOob);
+        assert_eq!(outcome.vuln_label, "xxe-python-oob-nonce");
+        assert!(outcome.benign_label.is_empty());
+        assert_eq!(outcome.vuln_probes.len(), 1);
+        assert!(outcome.benign_probes.is_empty());
+    }
+
    #[test]
    fn build_outcome_carries_both_traces() {
        use crate::dynamic::probe::{ProbeArg, ProbeKind, ProbeWitness, SinkProbe};