[pitboss] phase 05: M5 — JS/TS, Go, Java, PHP harness emitters

tests/dynamic_fixtures/php/cmdi_adversarial.php

@@ -0,0 +1,12 @@
+<?php
+// Command injection — adversarial collision fixture.
+// Prints NYX_PWN_CMDI unconditionally without reaching a command sink
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: runPing($host)  Cap: CODE_EXEC
+
+function runPing($host) {
+    // Coincidental oracle match — not a shell sink.
+    echo "NYX_PWN_CMDI\n";
+    $x = strlen($host);
+}

tests/dynamic_fixtures/php/cmdi_negative.php

@@ -0,0 +1,14 @@
+<?php
+// Command injection — negative fixture.
+// Safe: uses escapeshellarg() to prevent shell injection.
+// Entry: runPing($host)  Cap: CODE_EXEC
+// Expected verdict: NotConfirmed
+
+function runPing($host) {
+    // escapeshellarg wraps in single quotes and escapes internal quotes.
+    $safe = escapeshellarg($host);
+    $output = shell_exec('echo hello ' . $safe);
+    if ($output !== null) {
+        echo $output;
+    }
+}

tests/dynamic_fixtures/php/cmdi_positive.php

@@ -0,0 +1,13 @@
+<?php
+// Command injection — positive fixture.
+// Vulnerable: passes user input directly to shell_exec.
+// Entry: runPing($host)  Cap: CODE_EXEC
+// Expected verdict: Confirmed ("; echo NYX_PWN_CMDI" echoes the marker)
+
+function runPing($host) {
+    echo "__NYX_SINK_HIT__\n";
+    $output = shell_exec('echo hello ' . $host);
+    if ($output !== null) {
+        echo $output;
+    }
+}

tests/dynamic_fixtures/php/cmdi_unsupported.php

@@ -0,0 +1,10 @@
+<?php
+// Command injection — unsupported fixture.
+// Entry is a class method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+class Runner {
+    public function execute($cmd) {
+        shell_exec($cmd);
+    }
+}

tests/dynamic_fixtures/php/fileio_adversarial.php

@@ -0,0 +1,12 @@
+<?php
+// File I/O — adversarial collision fixture.
+// Prints "root:" unconditionally without reading any file
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: readFile($userPath)  Cap: FILE_IO
+
+function readFile($userPath) {
+    // Coincidental oracle match — not a file read sink.
+    echo "root: present\n";
+    $x = strlen($userPath);
+}

tests/dynamic_fixtures/php/fileio_negative.php

@@ -0,0 +1,20 @@
+<?php
+// File I/O — negative fixture.
+// Safe: realpath + prefix validation prevents directory traversal.
+// Entry: readFile($userPath)  Cap: FILE_IO
+// Expected verdict: NotConfirmed
+
+function readFile($userPath) {
+    $baseDir = '/var/data';
+    $filePath = realpath($baseDir . '/' . $userPath);
+    if ($filePath === false || strpos($filePath, $baseDir . DIRECTORY_SEPARATOR) !== 0) {
+        echo "Access denied\n";
+        return;
+    }
+    $content = @file_get_contents($filePath);
+    if ($content !== false) {
+        echo substr($content, 0, 100);
+    } else {
+        echo "File not found\n";
+    }
+}

tests/dynamic_fixtures/php/fileio_positive.php

@@ -0,0 +1,14 @@
+<?php
+// File I/O — positive fixture.
+// Vulnerable: reads file at user-controlled path without sanitization.
+// Entry: readFile($userPath)  Cap: FILE_IO
+// Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
+
+function readFile($userPath) {
+    $filePath = '/var/data/' . $userPath;
+    echo "__NYX_SINK_HIT__\n";
+    $content = @file_get_contents($filePath);
+    if ($content !== false) {
+        echo $content;
+    }
+}

tests/dynamic_fixtures/php/fileio_unsupported.php

@@ -0,0 +1,13 @@
+<?php
+// File I/O — unsupported fixture.
+// Entry is a class method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+class FileServer {
+    public function serve($path) {
+        $content = @file_get_contents($path);
+        if ($content !== false) {
+            echo $content;
+        }
+    }
+}

tests/dynamic_fixtures/php/sqli_adversarial.php

@@ -0,0 +1,12 @@
+<?php
+// SQL injection — adversarial collision fixture.
+// Prints NYX_SQL_CONFIRMED unconditionally without reaching a SQL sink
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: login($username)  Cap: SQL_QUERY
+
+function login($username) {
+    // Coincidental oracle match — not a SQL sink.
+    echo "NYX_SQL_CONFIRMED\n";
+    $x = strlen($username);
+}

tests/dynamic_fixtures/php/sqli_negative.php

@@ -0,0 +1,11 @@
+<?php
+// SQL injection — negative fixture.
+// Safe: uses PDO prepared statement; payload is a bound param, not concatenated.
+// Entry: login($username)  Cap: SQL_QUERY
+// Expected verdict: NotConfirmed
+
+function login($username) {
+    $template = "SELECT name FROM users WHERE name = ?";
+    // Simulate parameterized execution: template is fixed.
+    echo "Executing: " . $template . " param-len=" . strlen($username) . "\n";
+}

tests/dynamic_fixtures/php/sqli_positive.php

@@ -0,0 +1,12 @@
+<?php
+// SQL injection — positive fixture.
+// Vulnerable: directly concatenates user input into SQL query string.
+// Entry: login($username)  Cap: SQL_QUERY
+// Expected verdict: Confirmed (UNION payload echoes NYX_SQL_CONFIRMED)
+
+function login($username) {
+    $query = "SELECT name FROM users WHERE name='" . $username . "'";
+    echo "__NYX_SINK_HIT__\n";
+    // Error-based echo: output the query so UNION payload is visible.
+    echo "DB query: " . $query . "\n";
+}

tests/dynamic_fixtures/php/sqli_unsupported.php

@@ -0,0 +1,12 @@
+<?php
+// SQL injection — unsupported fixture.
+// Entry is a class method — entry kind unsupported.
+// Test sets confidence = Low to get Unsupported(ConfidenceTooLow).
+// Expected verdict: Unsupported
+
+class UserRepository {
+    public function findUser($name) {
+        $query = "SELECT * FROM users WHERE name='" . $name . "'";
+        echo $query . "\n";
+    }
+}

tests/dynamic_fixtures/php/ssrf_adversarial.php

@@ -0,0 +1,12 @@
+<?php
+// SSRF — adversarial collision fixture.
+// Prints "daemon:" unconditionally without making any HTTP request
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: fetchUrl($url)  Cap: SSRF
+
+function fetchUrl($url) {
+    // Coincidental oracle match — not an HTTP sink.
+    echo "daemon: present\n";
+    $x = strlen($url);
+}

tests/dynamic_fixtures/php/ssrf_negative.php

@@ -0,0 +1,18 @@
+<?php
+// SSRF — negative fixture.
+// Safe: only allows http/https scheme; file:// and others rejected.
+// Entry: fetchUrl($url)  Cap: SSRF
+// Expected verdict: NotConfirmed
+
+function fetchUrl($url) {
+    $parsed = parse_url($url);
+    $scheme = $parsed['scheme'] ?? '';
+    if ($scheme !== 'http' && $scheme !== 'https') {
+        echo "Scheme not allowed: " . $scheme . "\n";
+        return;
+    }
+    $content = @file_get_contents($url);
+    if ($content !== false) {
+        echo substr($content, 0, 64);
+    }
+}

tests/dynamic_fixtures/php/ssrf_positive.php

@@ -0,0 +1,14 @@
+<?php
+// SSRF — positive fixture.
+// Vulnerable: fetches a user-controlled URL via file_get_contents.
+// PHP's file_get_contents supports file:// scheme natively.
+// Entry: fetchUrl($url)  Cap: SSRF
+// Expected verdict: Confirmed (file:///etc/passwd → "daemon:" in output)
+
+function fetchUrl($url) {
+    echo "__NYX_SINK_HIT__\n";
+    $content = @file_get_contents($url);
+    if ($content !== false) {
+        echo $content;
+    }
+}

tests/dynamic_fixtures/php/ssrf_unsupported.php

@@ -0,0 +1,13 @@
+<?php
+// SSRF — unsupported fixture.
+// Entry is a class method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+class HttpClient {
+    public function fetch($url) {
+        $content = @file_get_contents($url);
+        if ($content !== false) {
+            echo $content;
+        }
+    }
+}

tests/dynamic_fixtures/php/xss_adversarial.php

@@ -0,0 +1,12 @@
+<?php
+// XSS — adversarial collision fixture.
+// Prints the XSS oracle marker unconditionally without rendering any template
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: renderPage($userInput)  Cap: HTML_ESCAPE
+
+function renderPage($userInput) {
+    // Coincidental oracle match — not an HTML render sink.
+    echo "<script>NYX_XSS_CONFIRMED</script>\n";
+    $x = strlen($userInput);
+}

tests/dynamic_fixtures/php/xss_negative.php

@@ -0,0 +1,10 @@
+<?php
+// XSS — negative fixture.
+// Safe: uses htmlspecialchars() before output.
+// Entry: renderPage($userInput)  Cap: HTML_ESCAPE
+// Expected verdict: NotConfirmed
+
+function renderPage($userInput) {
+    $safe = htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
+    echo '<html><body>' . $safe . '</body></html>' . "\n";
+}

tests/dynamic_fixtures/php/xss_positive.php

@@ -0,0 +1,10 @@
+<?php
+// XSS — positive fixture.
+// Vulnerable: echoes raw user input into HTML output without escaping.
+// Entry: renderPage($userInput)  Cap: HTML_ESCAPE
+// Expected verdict: Confirmed (<script>NYX_XSS_CONFIRMED</script> echoed)
+
+function renderPage($userInput) {
+    echo "__NYX_SINK_HIT__\n";
+    echo '<html><body>' . $userInput . '</body></html>' . "\n";
+}

tests/dynamic_fixtures/php/xss_unsupported.php

@@ -0,0 +1,10 @@
+<?php
+// XSS — unsupported fixture.
+// Entry is a class method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+class TemplateEngine {
+    public function render($input) {
+        echo '<html><body>' . $input . '</body></html>' . "\n";
+    }
+}