[pitboss/grind] deferred session-0010 (20260520T233019Z-6958)

src/dynamic/corpus/registry.rs

@@ -848,9 +848,14 @@ mod tests {
     fn xxe_payloads_pair_benign_controls_per_lang() {
         for lang in [Lang::Java, Lang::Python, Lang::Php, Lang::Ruby, Lang::Go] {
             let slice = payloads_for_lang(Cap::XXE, lang);
+            // Skip OOB-nonce variants: they self-confirm via the per-finding
+            // listener callback (see `xxe-<lang>-oob-nonce` in
+            // `src/dynamic/corpus/xxe/<lang>.rs`) and carry no paired benign
+            // control because a benign URL structurally cannot hit the nonce
+            // path.  The doctype-entity vuln is the one that pairs.
             let vuln = slice
                 .iter()
-                .find(|p| !p.is_benign)
+                .find(|p| !p.is_benign && !p.oob_nonce_slot)
                 .expect("each lang must have an XXE vuln payload");
             let resolved = super::resolve_benign_control_lang(vuln, Cap::XXE, lang)
                 .expect("lang-aware benign control must resolve");

src/dynamic/corpus/xxe/go.rs

@@ -9,11 +9,38 @@
 //! Benign control: a well-formed XML document with no doctype, so the
 //! decoder has no entity to resolve and the shim writes
 //! `entity_expanded: false`.
+//!
+//! OOB-nonce variant (added 2026-05-21): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`] the harness's
+//! `nyxBuildXxeDocument` helper performs a real `http.Client.Get`
+//! against the loopback URL so the listener records the per-finding
+//! nonce.  Ordered first so iteration exercises OOB before the
+//! doctype-entity vuln triggers and short-circuits.
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"",
+        label: "xxe-go-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/go/vuln.go",
+        ],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce XXE payload self-confirms via the per-finding listener \
+             callback when the Go harness performs the loopback GET before \
+             building the DTD; no benign URL can hit the nonce path.",
+        ),
+    },
     CuratedPayload {
         bytes: br#"<?xml version="1.0"?>
 <!DOCTYPE data [

src/dynamic/corpus/xxe/java.rs

@@ -10,11 +10,39 @@
 //! declaration so the parser has no entity to resolve.  The harness's
 //! instrumented parser writes `entity_expanded: false`, the oracle
 //! does not fire, and the differential rule (§4.1) stays clean.
+//!
+//! OOB-nonce variant (added 2026-05-21): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`] the harness's `EntityResolver`
+//! hook performs a real `HttpURLConnection.openConnection().getInputStream()`
+//! against the loopback URL so the listener records the per-finding nonce.
+//! Ordered first so the runner exercises the OOB observation path before
+//! the doctype-entity vuln below triggers and short-circuits iteration;
+//! runs without a listener skip cleanly (runner `oob_nonce_slot` branch).
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"",
+        label: "xxe-java-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/java/Vuln.java",
+        ],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce XXE payload self-confirms via the per-finding listener \
+             callback when DocumentBuilder's EntityResolver fetches the \
+             loopback URL; no benign URL can hit the nonce path.",
+        ),
+    },
     CuratedPayload {
         bytes: br#"<?xml version="1.0"?>
 <!DOCTYPE data [

src/dynamic/corpus/xxe/php.rs

@@ -9,11 +9,38 @@
 //! Benign control: a well-formed XML document with no doctype, so
 //! the parser has no entity to resolve and the shim writes
 //! `entity_expanded: false`.
+//!
+//! OOB-nonce variant (added 2026-05-21): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`] the harness's
+//! `libxml_set_external_entity_loader` callback performs a real
+//! `file_get_contents` against the loopback URL so the listener records
+//! the per-finding nonce.  Ordered first so iteration exercises OOB
+//! before the doctype-entity vuln triggers and short-circuits.
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"",
+        label: "xxe-php-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/php/vuln.php",
+        ],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce XXE payload self-confirms via the per-finding listener \
+             callback when libxml's external-entity loader fetches the \
+             loopback URL; no benign URL can hit the nonce path.",
+        ),
+    },
     CuratedPayload {
         bytes: br#"<?xml version="1.0"?>
 <!DOCTYPE data [

src/dynamic/corpus/xxe/python.rs

@@ -9,11 +9,49 @@
 //! Benign control: a well-formed XML document with no doctype, so the
 //! parser has nothing to resolve and the shim writes
 //! `entity_expanded: false`.
+//!
+//! OOB-nonce variant (added 2026-05-21): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`], the runner materialises this
+//! payload's bytes as a loopback URL and the Python harness wraps the
+//! URL into `<!ENTITY xxe SYSTEM "URL">`.  Expat's external-entity hook
+//! performs a real `urllib.request.urlopen` against the URL so the
+//! listener records the per-finding nonce.  Ordered first so the runner
+//! exercises the OOB observation path before the doctype-entity vuln
+//! triggers and short-circuits the iteration; runs without a listener
+//! skip cleanly (the runner's `oob_nonce_slot` branch `continue`s when
+//! [`crate::dynamic::sandbox::SandboxOptions::oob_listener`] is None).
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    // OOB-nonce XXE variant.  Ordered first so the harness exercises the
+    // OOB observation path before the doctype-entity vuln below triggers
+    // and breaks iteration.  Self-confirming via [`Oracle::OobCallback`];
+    // no paired benign control because a benign URL can never hit the
+    // per-finding nonce path.  Runs only when an [`OobListener`] is
+    // attached; the runner's `oob_nonce_slot` branch skips otherwise.
+    CuratedPayload {
+        bytes: b"",
+        label: "xxe-python-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/python/vuln.py",
+        ],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce XXE payload self-confirms via the per-finding listener \
+             callback when expat's external-entity hook fetches the loopback \
+             URL; no benign URL can hit the nonce path so no paired control \
+             is meaningful.",
+        ),
+    },
     CuratedPayload {
         bytes: br#"<?xml version="1.0"?>
 <!DOCTYPE data [

src/dynamic/corpus/xxe/ruby.rs

@@ -8,11 +8,38 @@
 //! Benign control: a well-formed XML document with no doctype, so
 //! the parser has no entity to resolve and the shim writes
 //! `entity_expanded: false`.
+//!
+//! OOB-nonce variant (added 2026-05-21): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`] the harness's
+//! `_nyx_build_xxe_document` helper performs a real `Net::HTTP.start`
+//! against the loopback URL so the listener records the per-finding
+//! nonce.  Ordered first so iteration exercises OOB before the
+//! doctype-entity vuln triggers and short-circuits.
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"",
+        label: "xxe-ruby-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/ruby/vuln.rb",
+        ],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce XXE payload self-confirms via the per-finding listener \
+             callback when the Ruby harness performs the loopback GET before \
+             building the DTD; no benign URL can hit the nonce path.",
+        ),
+    },
     CuratedPayload {
         bytes: br#"<?xml version="1.0"?>
 <!DOCTYPE data [