[pitboss] phase 17: Track L.15 — Gin / Echo / Fiber / Chi adapters + Axum / Actix / Rocket / Warp adapters

tests/dynamic_fixtures/go_frameworks/chi/benign.go

@@ -0,0 +1,24 @@
+// Phase 17 (Track L.15) — chi benign control fixture.
+package main
+
+import (
+	"net/http"
+	"os/exec"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func Run(w http.ResponseWriter, r *http.Request) {
+	cmd := r.URL.Query().Get("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		_ = exec.Command(safe).Run()
+	}
+	_, _ = w.Write([]byte("ok"))
+}
+
+func main() {
+	r := chi.NewRouter()
+	r.Get("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/go_frameworks/chi/vuln.go

@@ -0,0 +1,25 @@
+// Phase 17 (Track L.15) — chi CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`.  Adapter binding: `r.Get("/run", Run)` with
+// `cmd` flowing through the request query.
+package main
+
+import (
+	"net/http"
+	"os/exec"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func Run(w http.ResponseWriter, r *http.Request) {
+	cmd := r.URL.Query().Get("cmd")
+	_ = exec.Command("sh", "-c", cmd).Run()
+	_, _ = w.Write([]byte("ok"))
+}
+
+func main() {
+	r := chi.NewRouter()
+	r.Get("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/go_frameworks/echo/benign.go

@@ -0,0 +1,26 @@
+// Phase 17 (Track L.15) — echo benign control fixture.
+//
+// The /run route consults an allow-list before invoking exec, so
+// attacker bytes never reach the sink directly.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/labstack/echo/v4"
+)
+
+func Run(c echo.Context) error {
+	cmd := c.QueryParam("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		return exec.Command(safe).Run()
+	}
+	return nil
+}
+
+func main() {
+	e := echo.New()
+	e.GET("/run", Run)
+	_ = e
+}

tests/dynamic_fixtures/go_frameworks/echo/vuln.go

@@ -0,0 +1,23 @@
+// Phase 17 (Track L.15) — echo CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`.  Adapter binding: `e.GET("/run", Run)` with
+// `cmd` flowing through `c.QueryParam`.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/labstack/echo/v4"
+)
+
+func Run(c echo.Context) error {
+	cmd := c.QueryParam("cmd")
+	return exec.Command("sh", "-c", cmd).Run()
+}
+
+func main() {
+	e := echo.New()
+	e.GET("/run", Run)
+	_ = e
+}

tests/dynamic_fixtures/go_frameworks/fiber/benign.go

@@ -0,0 +1,23 @@
+// Phase 17 (Track L.15) — fiber benign control fixture.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func Run(c *fiber.Ctx) error {
+	cmd := c.Query("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		return exec.Command(safe).Run()
+	}
+	return nil
+}
+
+func main() {
+	app := fiber.New()
+	app.Get("/run", Run)
+	_ = app
+}

tests/dynamic_fixtures/go_frameworks/fiber/vuln.go

@@ -0,0 +1,23 @@
+// Phase 17 (Track L.15) — fiber CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`.  Adapter binding: `app.Get("/run", Run)` with
+// `cmd` flowing through `c.Query`.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func Run(c *fiber.Ctx) error {
+	cmd := c.Query("cmd")
+	return exec.Command("sh", "-c", cmd).Run()
+}
+
+func main() {
+	app := fiber.New()
+	app.Get("/run", Run)
+	_ = app
+}

tests/dynamic_fixtures/go_frameworks/gin/benign.go

@@ -0,0 +1,26 @@
+// Phase 17 (Track L.15) — gin benign control fixture.
+//
+// The /run route accepts a `cmd` query parameter but only runs an
+// allow-listed command, so the sink never sees attacker-controlled
+// bytes.  Same adapter binding as the vuln fixture.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gin-gonic/gin"
+)
+
+func Run(c *gin.Context) {
+	cmd := c.Query("cmd")
+	allow := map[string]string{"ls": "ls", "ps": "ps"}
+	if safe, ok := allow[cmd]; ok {
+		_ = exec.Command(safe).Run()
+	}
+}
+
+func main() {
+	r := gin.Default()
+	r.GET("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/go_frameworks/gin/vuln.go

@@ -0,0 +1,24 @@
+// Phase 17 (Track L.15) — gin CMDI vuln fixture.
+//
+// The /run route forwards a `cmd` query parameter straight into
+// `os/exec.Command`, so any attacker who reaches the route can
+// execute arbitrary shell.  Adapter binding: `r.GET("/run", Run)`
+// with `cmd` flowing through `c.Query`.
+package main
+
+import (
+	"os/exec"
+
+	"github.com/gin-gonic/gin"
+)
+
+func Run(c *gin.Context) {
+	cmd := c.Query("cmd")
+	_ = exec.Command("sh", "-c", cmd).Run()
+}
+
+func main() {
+	r := gin.Default()
+	r.GET("/run", Run)
+	_ = r
+}

tests/dynamic_fixtures/rust_frameworks/actix/benign.rs

@@ -0,0 +1,19 @@
+//! Phase 17 (Track L.15) — actix-web benign control fixture.
+
+use actix_web::{get, web, HttpResponse, Responder};
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+#[get("/run")]
+pub async fn run(q: web::Query<RunQuery>) -> impl Responder {
+    let allow = ["ls", "ps"];
+    if allow.contains(&q.cmd.as_str()) {
+        let _ = Command::new(&q.cmd).status();
+    }
+    HttpResponse::Ok().body("ok")
+}

tests/dynamic_fixtures/rust_frameworks/actix/vuln.rs

@@ -0,0 +1,20 @@
+//! Phase 17 (Track L.15) — actix-web CMDI vuln fixture.
+//!
+//! The /run route forwards a `cmd` query parameter straight into
+//! `std::process::Command`.  Adapter binding: `#[get("/run")]` on
+//! `run` with `cmd` arriving via `web::Query<RunQuery>`.
+
+use actix_web::{get, web, HttpResponse, Responder};
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+#[get("/run")]
+pub async fn run(q: web::Query<RunQuery>) -> impl Responder {
+    let _ = Command::new("sh").arg("-c").arg(&q.cmd).status();
+    HttpResponse::Ok().body("ok")
+}

tests/dynamic_fixtures/rust_frameworks/axum/benign.rs

@@ -0,0 +1,27 @@
+//! Phase 17 (Track L.15) — axum benign control fixture.
+//!
+//! The /run route allow-lists the `cmd` value before invoking
+//! `std::process::Command`, so attacker bytes never reach the sink.
+
+use axum::extract::Query;
+use axum::Router;
+use axum::routing::get;
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub async fn run(Query(q): Query<RunQuery>) -> String {
+    let allow = ["ls", "ps"];
+    if allow.contains(&q.cmd.as_str()) {
+        let _ = Command::new(&q.cmd).status();
+    }
+    "ok".to_owned()
+}
+
+pub fn build() -> Router {
+    Router::new().route("/run", get(run))
+}

tests/dynamic_fixtures/rust_frameworks/axum/vuln.rs

@@ -0,0 +1,26 @@
+//! Phase 17 (Track L.15) — axum CMDI vuln fixture.
+//!
+//! The /run route forwards a `cmd` query parameter straight into
+//! `std::process::Command`.  Adapter binding:
+//! `Router::new().route("/run", get(run))` with `cmd` arriving via
+//! `axum::extract::Query<RunQuery>`.
+
+use axum::extract::Query;
+use axum::Router;
+use axum::routing::get;
+use serde::Deserialize;
+use std::process::Command;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub async fn run(Query(q): Query<RunQuery>) -> String {
+    let _ = Command::new("sh").arg("-c").arg(&q.cmd).status();
+    "ok".to_owned()
+}
+
+pub fn build() -> Router {
+    Router::new().route("/run", get(run))
+}

tests/dynamic_fixtures/rust_frameworks/rocket/benign.rs

@@ -0,0 +1,13 @@
+//! Phase 17 (Track L.15) — rocket benign control fixture.
+
+use rocket::get;
+use std::process::Command;
+
+#[get("/run?<cmd>")]
+pub fn run(cmd: String) -> &'static str {
+    let allow = ["ls", "ps"];
+    if allow.contains(&cmd.as_str()) {
+        let _ = Command::new(&cmd).status();
+    }
+    "ok"
+}

tests/dynamic_fixtures/rust_frameworks/rocket/vuln.rs

@@ -0,0 +1,14 @@
+//! Phase 17 (Track L.15) — rocket CMDI vuln fixture.
+//!
+//! The /run route forwards a `cmd` query parameter straight into
+//! `std::process::Command`.  Adapter binding: `#[get("/run?<cmd>")]`
+//! on `run` with `cmd` arriving via the function's positional arg.
+
+use rocket::get;
+use std::process::Command;
+
+#[get("/run?<cmd>")]
+pub fn run(cmd: String) -> &'static str {
+    let _ = Command::new("sh").arg("-c").arg(&cmd).status();
+    "ok"
+}

tests/dynamic_fixtures/rust_frameworks/warp/benign.rs

@@ -0,0 +1,24 @@
+//! Phase 17 (Track L.15) — warp benign control fixture.
+
+use std::process::Command;
+use serde::Deserialize;
+use warp::Filter;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub fn run(q: RunQuery) -> &'static str {
+    let allow = ["ls", "ps"];
+    if allow.contains(&q.cmd.as_str()) {
+        let _ = Command::new(&q.cmd).status();
+    }
+    "ok"
+}
+
+pub fn build() -> impl Filter<Extract = (&'static str,), Error = warp::Rejection> + Clone {
+    warp::path!("run")
+        .and(warp::query::<RunQuery>())
+        .map(run)
+}

tests/dynamic_fixtures/rust_frameworks/warp/vuln.rs

@@ -0,0 +1,26 @@
+//! Phase 17 (Track L.15) — warp CMDI vuln fixture.
+//!
+//! The /run filter forwards a query parameter straight into
+//! `std::process::Command`.  Adapter binding:
+//! `warp::path!("run").and(warp::query::<RunQuery>()).map(run)` with
+//! `cmd` arriving via warp's typed query.
+
+use std::process::Command;
+use serde::Deserialize;
+use warp::Filter;
+
+#[derive(Deserialize)]
+pub struct RunQuery {
+    pub cmd: String,
+}
+
+pub fn run(q: RunQuery) -> &'static str {
+    let _ = Command::new("sh").arg("-c").arg(&q.cmd).status();
+    "ok"
+}
+
+pub fn build() -> impl Filter<Extract = (&'static str,), Error = warp::Rejection> + Clone {
+    warp::path!("run")
+        .and(warp::query::<RunQuery>())
+        .map(run)
+}