[pitboss] phase 17: Track L.15 — Gin / Echo / Fiber / Chi adapters + Axum / Actix / Rocket / Warp adapters

tests/dynamic_fixtures/go_frameworks/chi/benign.go

@@ -0,0 +1,24 @@
+// Phase 17 (Track L.15) — chi benign control fixture.
+package main
+
+import (
+	"net/http"
+	"os/exec"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func Run(w http.ResponseWriter, r *http.Request) {
+	cmd := r.URL.Query().Get("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		_ = exec.Command(safe).Run()
+	}
+	_, _ = w.Write([]byte("ok"))
+}
+
+func main() {
+	r := chi.NewRouter()
+	r.Get("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/go_frameworks/chi/vuln.go

@@ -0,0 +1,25 @@
+// Phase 17 (Track L.15) — chi CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`.  Adapter binding: `r.Get("/run", Run)` with
+// `cmd` flowing through the request query.
+package main
+
+import (
+	"net/http"
+	"os/exec"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func Run(w http.ResponseWriter, r *http.Request) {
+	cmd := r.URL.Query().Get("cmd")
+	_ = exec.Command("sh", "-c", cmd).Run()
+	_, _ = w.Write([]byte("ok"))
+}
+
+func main() {
+	r := chi.NewRouter()
+	r.Get("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/go_frameworks/echo/benign.go

@@ -0,0 +1,26 @@
+// Phase 17 (Track L.15) — echo benign control fixture.
+//
+// The /run route consults an allow-list before invoking exec, so
+// attacker bytes never reach the sink directly.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/labstack/echo/v4"
+)
+
+func Run(c echo.Context) error {
+	cmd := c.QueryParam("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		return exec.Command(safe).Run()
+	}
+	return nil
+}
+
+func main() {
+	e := echo.New()
+	e.GET("/run", Run)
+	_ = e
+}

tests/dynamic_fixtures/go_frameworks/echo/vuln.go

@@ -0,0 +1,23 @@
+// Phase 17 (Track L.15) — echo CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`.  Adapter binding: `e.GET("/run", Run)` with
+// `cmd` flowing through `c.QueryParam`.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/labstack/echo/v4"
+)
+
+func Run(c echo.Context) error {
+	cmd := c.QueryParam("cmd")
+	return exec.Command("sh", "-c", cmd).Run()
+}
+
+func main() {
+	e := echo.New()
+	e.GET("/run", Run)
+	_ = e
+}

tests/dynamic_fixtures/go_frameworks/fiber/benign.go

@@ -0,0 +1,23 @@
+// Phase 17 (Track L.15) — fiber benign control fixture.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func Run(c *fiber.Ctx) error {
+	cmd := c.Query("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		return exec.Command(safe).Run()
+	}
+	return nil
+}
+
+func main() {
+	app := fiber.New()
+	app.Get("/run", Run)
+	_ = app
+}

tests/dynamic_fixtures/go_frameworks/fiber/vuln.go

@@ -0,0 +1,23 @@
+// Phase 17 (Track L.15) — fiber CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`.  Adapter binding: `app.Get("/run", Run)` with
+// `cmd` flowing through `c.Query`.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func Run(c *fiber.Ctx) error {
+	cmd := c.Query("cmd")
+	return exec.Command("sh", "-c", cmd).Run()
+}
+
+func main() {
+	app := fiber.New()
+	app.Get("/run", Run)
+	_ = app
+}

tests/dynamic_fixtures/go_frameworks/gin/benign.go

@@ -0,0 +1,26 @@
+// Phase 17 (Track L.15) — gin benign control fixture.
+//
+// The /run route accepts a `cmd` query parameter but only runs an
+// allow-listed command, so the sink never sees attacker-controlled
+// bytes.  Same adapter binding as the vuln fixture.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gin-gonic/gin"
+)
+
+func Run(c *gin.Context) {
+	cmd := c.Query("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		_ = exec.Command(safe).Run()
+	}
+}
+
+func main() {
+	r := gin.Default()
+	r.GET("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/go_frameworks/gin/vuln.go

@@ -0,0 +1,24 @@
+// Phase 17 (Track L.15) — gin CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`, so any attacker who reaches the route can
+// execute arbitrary shell.  Adapter binding: `r.GET("/run", Run)`
+// with `cmd` flowing through `c.Query`.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gin-gonic/gin"
+)
+
+func Run(c *gin.Context) {
+	cmd := c.Query("cmd")
+	_ = exec.Command("sh", "-c", cmd).Run()
+}
+
+func main() {
+	r := gin.Default()
+	r.GET("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/rust_frameworks/actix/benign.rs

@@ -0,0 +1,19 @@
+//! Phase 17 (Track L.15) — actix-web benign control fixture.
+
+use actix_web::{get, web, HttpResponse, Responder};
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+#[get("/run")]
+pub async fn run(q: web::Query<RunQuery>) -> impl Responder {
+    let allow = ["ls", "ps"];
+    if allow.contains(&q.cmd.as_str()) {
+        let _ = Command::new(&q.cmd).status();
+    }
+    HttpResponse::Ok().body("ok")
+}

tests/dynamic_fixtures/rust_frameworks/actix/vuln.rs

@@ -0,0 +1,20 @@
+//! Phase 17 (Track L.15) — actix-web CMDI vuln fixture.
+//!
+//! The /run route forwards a `cmd` query parameter straight into
+//! `std::process::Command`.  Adapter binding: `#[get("/run")]` on
+//! `run` with `cmd` arriving via `web::Query<RunQuery>`.
+
+use actix_web::{get, web, HttpResponse, Responder};
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+#[get("/run")]
+pub async fn run(q: web::Query<RunQuery>) -> impl Responder {
+    let _ = Command::new("sh").arg("-c").arg(&q.cmd).status();
+    HttpResponse::Ok().body("ok")
+}

tests/dynamic_fixtures/rust_frameworks/axum/benign.rs

@@ -0,0 +1,27 @@
+//! Phase 17 (Track L.15) — axum benign control fixture.
+//!
+//! The /run route allow-lists the `cmd` value before invoking
+//! `std::process::Command`, so attacker bytes never reach the sink.
+
+use axum::extract::Query;
+use axum::Router;
+use axum::routing::get;
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub async fn run(Query(q): Query<RunQuery>) -> String {
+    let allow = ["ls", "ps"];
+    if allow.contains(&q.cmd.as_str()) {
+        let _ = Command::new(&q.cmd).status();
+    }
+    "ok".to_owned()
+}
+
+pub fn build() -> Router {
+    Router::new().route("/run", get(run))
+}

tests/dynamic_fixtures/rust_frameworks/axum/vuln.rs

@@ -0,0 +1,26 @@
+//! Phase 17 (Track L.15) — axum CMDI vuln fixture.
+//!
+//! The /run route forwards a `cmd` query parameter straight into
+//! `std::process::Command`.  Adapter binding:
+//! `Router::new().route("/run", get(run))` with `cmd` arriving via
+//! `axum::extract::Query<RunQuery>`.
+
+use axum::extract::Query;
+use axum::Router;
+use axum::routing::get;
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub async fn run(Query(q): Query<RunQuery>) -> String {
+    let _ = Command::new("sh").arg("-c").arg(&q.cmd).status();
+    "ok".to_owned()
+}
+
+pub fn build() -> Router {
+    Router::new().route("/run", get(run))
+}

tests/dynamic_fixtures/rust_frameworks/rocket/benign.rs

@@ -0,0 +1,13 @@
+//! Phase 17 (Track L.15) — rocket benign control fixture.
+
+use rocket::get;
+use std::process::Command;
+
+#[get("/run?<cmd>")]
+pub fn run(cmd: String) -> &'static str {
+    let allow = ["ls", "ps"];
+    if allow.contains(&cmd.as_str()) {
+        let _ = Command::new(&cmd).status();
+    }
+    "ok"
+}

tests/dynamic_fixtures/rust_frameworks/rocket/vuln.rs

@@ -0,0 +1,14 @@
+//! Phase 17 (Track L.15) — rocket CMDI vuln fixture.
+//!
+//! The /run route forwards a `cmd` query parameter straight into
+//! `std::process::Command`.  Adapter binding: `#[get("/run?<cmd>")]`
+//! on `run` with `cmd` arriving via the function's positional arg.
+
+use rocket::get;
+use std::process::Command;
+
+#[get("/run?<cmd>")]
+pub fn run(cmd: String) -> &'static str {
+    let _ = Command::new("sh").arg("-c").arg(&cmd).status();
+    "ok"
+}

tests/dynamic_fixtures/rust_frameworks/warp/benign.rs

@@ -0,0 +1,24 @@
+//! Phase 17 (Track L.15) — warp benign control fixture.
+
+use std::process::Command;
+use serde::Deserialize;
+use warp::Filter;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub fn run(q: RunQuery) -> &'static str {
+    let allow = ["ls", "ps"];
+    if allow.contains(&q.cmd.as_str()) {
+        let _ = Command::new(&q.cmd).status();
+    }
+    "ok"
+}
+
+pub fn build() -> impl Filter<Extract = (&'static str,), Error = warp::Rejection> + Clone {
+    warp::path!("run")
+        .and(warp::query::<RunQuery>())
+        .map(run)
+}

tests/dynamic_fixtures/rust_frameworks/warp/vuln.rs

@@ -0,0 +1,26 @@
+//! Phase 17 (Track L.15) — warp CMDI vuln fixture.
+//!
+//! The /run filter forwards a query parameter straight into
+//! `std::process::Command`.  Adapter binding:
+//! `warp::path!("run").and(warp::query::<RunQuery>()).map(run)` with
+//! `cmd` arriving via warp's typed query.
+
+use std::process::Command;
+use serde::Deserialize;
+use warp::Filter;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub fn run(q: RunQuery) -> &'static str {
+    let _ = Command::new("sh").arg("-c").arg(&q.cmd).status();
+    "ok"
+}
+
+pub fn build() -> impl Filter<Extract = (&'static str,), Error = warp::Rejection> + Clone {
+    warp::path!("run")
+        .and(warp::query::<RunQuery>())
+        .map(run)
+}

tests/go_frameworks_corpus.rs

@@ -0,0 +1,130 @@
+//! Phase 17 (Track L.15) — Go framework adapter integration tests.
+//!
+//! Each test exercises `detect_binding` end-to-end against a fixture
+//! file under `tests/dynamic_fixtures/go_frameworks/`, asserting that
+//! the right adapter fires, the binding carries
+//! `EntryKind::HttpRoute`, and the `RouteShape` matches the brief.
+//! Benign fixtures must produce the same adapter binding shape as
+//! the vuln fixtures — the adapter only models the route; the
+//! differential outcome of a verifier run is what distinguishes the
+//! two.
+
+#![cfg(feature = "dynamic")]
+
+use nyx_scanner::dynamic::framework::{detect_binding, HttpMethod};
+use nyx_scanner::evidence::EntryKind;
+use nyx_scanner::summary::FuncSummary;
+use nyx_scanner::symbol::Lang;
+
+fn parse_go(src: &[u8]) -> tree_sitter::Tree {
+    let mut parser = tree_sitter::Parser::new();
+    let lang = tree_sitter::Language::from(tree_sitter_go::LANGUAGE);
+    parser.set_language(&lang).unwrap();
+    parser.parse(src, None).unwrap()
+}
+
+fn summary_for(name: &str, file: &str) -> FuncSummary {
+    FuncSummary {
+        name: name.into(),
+        file_path: file.into(),
+        lang: "go".into(),
+        ..Default::default()
+    }
+}
+
+fn assert_route(path: &str, adapter: &str, route_path: &str) {
+    let bytes = std::fs::read(path).expect("fixture exists");
+    let tree = parse_go(&bytes);
+    let summary = summary_for("Run", path);
+    let binding =
+        detect_binding(&summary, tree.root_node(), &bytes, Lang::Go).expect("adapter must bind");
+    assert_eq!(binding.adapter, adapter, "wrong adapter for {path}");
+    assert_eq!(binding.kind, EntryKind::HttpRoute);
+    let route = binding.route.as_ref().expect("route");
+    assert_eq!(route.path, route_path);
+    assert_eq!(route.method, HttpMethod::GET);
+}
+
+#[test]
+fn gin_vuln_fixture_binds_route() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/gin/vuln.go",
+        "go-gin",
+        "/run",
+    );
+}
+
+#[test]
+fn gin_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/gin/benign.go",
+        "go-gin",
+        "/run",
+    );
+}
+
+#[test]
+fn echo_vuln_fixture_binds_route() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/echo/vuln.go",
+        "go-echo",
+        "/run",
+    );
+}
+
+#[test]
+fn echo_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/echo/benign.go",
+        "go-echo",
+        "/run",
+    );
+}
+
+#[test]
+fn fiber_vuln_fixture_binds_route() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/fiber/vuln.go",
+        "go-fiber",
+        "/run",
+    );
+}
+
+#[test]
+fn fiber_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/fiber/benign.go",
+        "go-fiber",
+        "/run",
+    );
+}
+
+#[test]
+fn chi_vuln_fixture_binds_route() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/chi/vuln.go",
+        "go-chi",
+        "/run",
+    );
+}
+
+#[test]
+fn chi_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/go_frameworks/chi/benign.go",
+        "go-chi",
+        "/run",
+    );
+}
+
+#[test]
+fn gin_adapter_ignores_unrelated_function() {
+    // Match a non-route function name to confirm the adapter does
+    // not over-fire on unrelated helpers in the same file.
+    let path = "tests/dynamic_fixtures/go_frameworks/gin/vuln.go";
+    let bytes = std::fs::read(path).expect("fixture exists");
+    let tree = parse_go(&bytes);
+    let summary = summary_for("NonexistentHelper", path);
+    let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Go);
+    assert!(binding.is_none());
+}

tests/rust_frameworks_corpus.rs

@@ -0,0 +1,140 @@
+//! Phase 17 (Track L.15) — Rust framework adapter integration tests.
+//!
+//! Each test exercises `detect_binding` end-to-end against a fixture
+//! file under `tests/dynamic_fixtures/rust_frameworks/`, asserting
+//! that the right adapter fires, the binding carries
+//! `EntryKind::HttpRoute`, and the `RouteShape` matches the brief.
+//! Benign fixtures must produce the same adapter binding shape as
+//! the vuln fixtures — the adapter only models the route; the
+//! differential outcome of a verifier run is what distinguishes the
+//! two.
+
+#![cfg(feature = "dynamic")]
+
+use nyx_scanner::dynamic::framework::{detect_binding, HttpMethod};
+use nyx_scanner::evidence::EntryKind;
+use nyx_scanner::summary::FuncSummary;
+use nyx_scanner::symbol::Lang;
+
+fn parse_rust(src: &[u8]) -> tree_sitter::Tree {
+    let mut parser = tree_sitter::Parser::new();
+    let lang = tree_sitter::Language::from(tree_sitter_rust::LANGUAGE);
+    parser.set_language(&lang).unwrap();
+    parser.parse(src, None).unwrap()
+}
+
+fn summary_for(name: &str, file: &str) -> FuncSummary {
+    FuncSummary {
+        name: name.into(),
+        file_path: file.into(),
+        lang: "rust".into(),
+        ..Default::default()
+    }
+}
+
+fn assert_route(path: &str, adapter: &str, expected_path_fragment: &str, method: HttpMethod) {
+    let bytes = std::fs::read(path).expect("fixture exists");
+    let tree = parse_rust(&bytes);
+    let summary = summary_for("run", path);
+    let binding =
+        detect_binding(&summary, tree.root_node(), &bytes, Lang::Rust).expect("adapter must bind");
+    assert_eq!(binding.adapter, adapter, "wrong adapter for {path}");
+    assert_eq!(binding.kind, EntryKind::HttpRoute);
+    let route = binding.route.as_ref().expect("route");
+    assert!(
+        route.path.contains(expected_path_fragment),
+        "route path {} should contain {expected_path_fragment}",
+        route.path
+    );
+    assert_eq!(route.method, method);
+}
+
+#[test]
+fn axum_vuln_fixture_binds_route() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/axum/vuln.rs",
+        "rust-axum",
+        "/run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn axum_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/axum/benign.rs",
+        "rust-axum",
+        "/run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn actix_vuln_fixture_binds_route_via_attribute() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/actix/vuln.rs",
+        "rust-actix",
+        "/run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn actix_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/actix/benign.rs",
+        "rust-actix",
+        "/run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn rocket_vuln_fixture_binds_route_via_attribute() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/rocket/vuln.rs",
+        "rust-rocket",
+        "/run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn rocket_benign_fixture_binds_same_route_shape() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/rocket/benign.rs",
+        "rust-rocket",
+        "/run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn warp_vuln_fixture_binds_path_macro() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/warp/vuln.rs",
+        "rust-warp",
+        "run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn warp_benign_fixture_binds_same_path_macro() {
+    assert_route(
+        "tests/dynamic_fixtures/rust_frameworks/warp/benign.rs",
+        "rust-warp",
+        "run",
+        HttpMethod::GET,
+    );
+}
+
+#[test]
+fn axum_adapter_ignores_unrelated_function() {
+    let path = "tests/dynamic_fixtures/rust_frameworks/axum/vuln.rs";
+    let bytes = std::fs::read(path).expect("fixture exists");
+    let tree = parse_rust(&bytes);
+    let summary = summary_for("nonexistent_helper", path);
+    let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Rust);
+    assert!(binding.is_none());
+}