[pitboss/grind] deferred session-0002 (20260522T163126Z-7d60)

2026-06-15 20:05:13 +02:00 · 2026-05-22 12:37:54 -05:00 · 2026-05-22 12:37:54 -05:00 · 3486056f5e
commit 3486056f5e
parent e4258d63ed
12 changed files with 1129 additions and 26 deletions
--- a/src/dynamic/corpus/json_parse/go.rs
+++ b/src/dynamic/corpus/json_parse/go.rs
@ -0,0 +1,54 @@
+//! Go `Cap::JSON_PARSE` payloads.
+//!
+//! The depth pair shares a single fixture; the payload tag
+//! (`NYX_JSON_DEEP` vs `NYX_JSON_SHALLOW`) picks the branch.  Go has
+//! no prototype-pollution surface so the canary half of the slice is
+//! intentionally omitted.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const MAX_DEPTH: u32 = 64;
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"NYX_JSON_DEEP",
+        label: "json-parse-go-depth-bomb",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/go/vuln.go"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+            max_depth: MAX_DEPTH,
+        }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-go-depth-shallow",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: b"NYX_JSON_SHALLOW",
+        label: "json-parse-go-depth-shallow",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/go/vuln.go"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];
--- a/src/dynamic/corpus/json_parse/mod.rs
+++ b/src/dynamic/corpus/json_parse/mod.rs
@ -16,6 +16,9 @@
 //! benign control sends a JSON literal whose top-level key is the
 //! regular property `data`, leaving the chain untouched.

+pub mod go;
 pub mod javascript;
+pub mod php;
 pub mod python;
 pub mod ruby;
+pub mod rust;
--- a/src/dynamic/corpus/json_parse/php.rs
+++ b/src/dynamic/corpus/json_parse/php.rs
@ -0,0 +1,54 @@
+//! PHP `Cap::JSON_PARSE` payloads.
+//!
+//! The depth pair shares a single fixture; the payload tag
+//! (`NYX_JSON_DEEP` vs `NYX_JSON_SHALLOW`) picks the branch.  PHP has
+//! no prototype-pollution surface so the canary half of the slice is
+//! intentionally omitted.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const MAX_DEPTH: u32 = 64;
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"NYX_JSON_DEEP",
+        label: "json-parse-php-depth-bomb",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/php/vuln.php"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+            max_depth: MAX_DEPTH,
+        }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-php-depth-shallow",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: b"NYX_JSON_SHALLOW",
+        label: "json-parse-php-depth-shallow",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/php/vuln.php"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];
--- a/src/dynamic/corpus/json_parse/rust.rs
+++ b/src/dynamic/corpus/json_parse/rust.rs
@ -0,0 +1,54 @@
+//! Rust `Cap::JSON_PARSE` payloads.
+//!
+//! The depth pair shares a single fixture; the payload tag
+//! (`NYX_JSON_DEEP` vs `NYX_JSON_SHALLOW`) picks the branch.  Rust has
+//! no prototype-pollution surface so the canary half of the slice is
+//! intentionally omitted.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const MAX_DEPTH: u32 = 64;
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"NYX_JSON_DEEP",
+        label: "json-parse-rust-depth-bomb",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/rust/vuln.rs"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+            max_depth: MAX_DEPTH,
+        }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-rust-depth-shallow",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: b"NYX_JSON_SHALLOW",
+        label: "json-parse-rust-depth-shallow",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/rust/vuln.rs"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];
--- a/src/dynamic/corpus/registry.rs
+++ b/src/dynamic/corpus/registry.rs
@ -199,8 +199,11 @@ const ENTRIES: &[(Cap, Lang, &[CuratedPayload])] = &[
        Lang::JavaScript,
        json_parse::javascript::PAYLOADS,
    ),
+    (Cap::JSON_PARSE, Lang::Go, json_parse::go::PAYLOADS),
+    (Cap::JSON_PARSE, Lang::Php, json_parse::php::PAYLOADS),
    (Cap::JSON_PARSE, Lang::Python, json_parse::python::PAYLOADS),
    (Cap::JSON_PARSE, Lang::Ruby, json_parse::ruby::PAYLOADS),
+    (Cap::JSON_PARSE, Lang::Rust, json_parse::rust::PAYLOADS),
    (
        Cap::UNAUTHORIZED_ID,
        Lang::Python,