docs(configuration): improve clarity and formatting in configuration documentation

2026-06-24 20:28:06 +02:00 · 2026-05-22 09:42:18 -05:00 · 2026-05-22 09:42:18 -05:00 · 32211079a0
commit 32211079a0
parent 9062cd652a
32 changed files with 717 additions and 380 deletions
--- a/src/dynamic/corpus/json_parse/python.rs
+++ b/src/dynamic/corpus/json_parse/python.rs
@ -1,11 +1,14 @@
-//! Python `Cap::JSON_PARSE` payloads — `json.loads` then
-//! attribute-pollution via `setattr` / `dict.update` on a shared
-//! sentinel object.
+//! Python `Cap::JSON_PARSE` payloads.
+//!
+//! The canary cases cover pollution-style parses. The depth cases drive
+//! `json.loads` past the depth oracle while sharing one fixture for the
+//! vulnerable and benign attempts.

 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;

 const CANARY: &str = "__nyx_canary";
+const MAX_DEPTH: u32 = 64;

 pub const PAYLOADS: &[CuratedPayload] = &[
    CuratedPayload {
@ -42,4 +45,44 @@ pub const PAYLOADS: &[CuratedPayload] = &[
        benign_control: None,
        no_benign_control_rationale: None,
    },
+    CuratedPayload {
+        bytes: b"NYX_JSON_DEEP",
+        label: "json-parse-python-depth-bomb",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/python/vuln.py"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+            max_depth: MAX_DEPTH,
+        }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-python-depth-shallow",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: b"NYX_JSON_SHALLOW",
+        label: "json-parse-python-depth-shallow",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/python/vuln.py"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
 ];