From 368f6280548f8204696e1923d9ee42cb4c26241f Mon Sep 17 00:00:00 2001 From: pitboss Date: Thu, 21 May 2026 16:05:15 -0500 Subject: [PATCH] [pitboss/grind] deferred session-0003 (20260521T201327Z-3848) --- frontend/src/styles/global.css | 133 ++++++++++++ .../components/dynamicVerdictSection.test.tsx | 36 +++- .../src/test/components/verdictBadge.test.tsx | 23 +- src/dynamic/build_sandbox.rs | 2 +- .../framework/adapters/graphql_apollo.rs | 198 +++++++++++++++--- .../framework/adapters/middleware_rails.rs | 3 +- .../framework/adapters/migration_laravel.rs | 5 +- src/dynamic/framework/adapters/ruby_hanami.rs | 176 +++++++++++++++- .../framework/adapters/scheduled_sidekiq.rs | 97 +++++++-- src/dynamic/sandbox/mod.rs | 31 +-- src/server/jobs.rs | 2 + src/server/models.rs | 6 +- src/server/routes/findings.rs | 4 +- src/server/routes/scans.rs | 42 ++++ 14 files changed, 672 insertions(+), 86 deletions(-) diff --git a/frontend/src/styles/global.css b/frontend/src/styles/global.css index 5a08df74..3d5b2922 100644 --- a/frontend/src/styles/global.css +++ b/frontend/src/styles/global.css @@ -2504,6 +2504,139 @@ tr.selected td { color: var(--text); } +/* ── Finding Detail: dynamic verification ─────────────────────────── */ +.badge-dyn-confirmed { + background: var(--success-bg); + color: var(--success); +} +.badge-dyn-notconfirmed { + background: var(--bg-secondary); + color: var(--text-secondary); +} +.badge-dyn-inconclusive { + background: var(--sev-medium-bg); + color: var(--sev-medium); +} +.badge-dyn-unsupported { + background: var(--conf-low-bg); + color: var(--conf-low); +} +.dynamic-verdict-section { + display: flex; + flex-direction: column; + gap: var(--space-3); + font-size: var(--text-sm); + line-height: 1.45; +} +.dynamic-verdict-badge-row { + display: flex; + align-items: center; + flex-wrap: wrap; + gap: var(--space-2); +} +.dynamic-toolchain-match { + display: inline-flex; + align-items: center; + min-height: 22px; + padding: 2px 8px; + border: 1px solid var(--border); + border-radius: var(--radius-sm); + background: var(--bg-secondary); + color: var(--text-secondary); + font-size: var(--text-xs); +} +.repro-panel, +.dynamic-verdict-detail, +.dynamic-attempts { + border: 1px solid var(--border-light); + border-radius: 6px; + background: var(--bg); + padding: var(--space-3); +} +.repro-cmd-row { + display: flex; + align-items: center; + gap: var(--space-2); + min-width: 0; + flex-wrap: wrap; +} +.repro-label, +.dynamic-attempts > strong, +.dynamic-verdict-detail strong { + color: var(--text-secondary); + font-size: var(--text-xs); + font-weight: var(--weight-semibold); + text-transform: uppercase; + letter-spacing: 0.06em; +} +.repro-cmd { + flex: 1 1 220px; + min-width: 0; + overflow-wrap: anywhere; + padding: 4px 7px; + border-radius: var(--radius-sm); + background: var(--terminal-bg); + color: var(--terminal-text); + font-size: 0.78rem; +} +.repro-copy-btn { + flex: 0 0 auto; +} +.dynamic-verdict-detail { + display: grid; + gap: var(--space-2); +} +.dynamic-verdict-detail-text { + color: var(--text-secondary); + overflow-wrap: anywhere; +} +.dynamic-attempt-list { + list-style: none; + display: grid; + gap: var(--space-2); + margin: var(--space-2) 0 0; + padding: 0; +} +.attempt-row { + display: grid; + grid-template-columns: minmax(0, 1fr) auto auto; + align-items: center; + gap: var(--space-2); + padding: 8px 10px; + border: 1px solid var(--border-light); + border-radius: 6px; + background: var(--surface); +} +.attempt-row.triggered { + border-color: color-mix(in srgb, var(--success) 35%, var(--border)); + background: var(--success-bg); +} +.attempt-row code { + min-width: 0; + overflow-wrap: anywhere; + font-size: 0.8rem; +} +.attempt-outcome, +.attempt-exit-code { + color: var(--text-secondary); + font-size: var(--text-xs); + white-space: nowrap; +} +.attempt-row.triggered .attempt-outcome { + color: var(--success); + font-weight: var(--weight-semibold); +} +@media (max-width: 640px) { + .attempt-row { + grid-template-columns: 1fr; + align-items: start; + } + .attempt-outcome, + .attempt-exit-code { + white-space: normal; + } +} + /* ── Code Viewer Modal ────────────────────────────────────────────── */ .code-modal-overlay { position: fixed; diff --git a/frontend/src/test/components/dynamicVerdictSection.test.tsx b/frontend/src/test/components/dynamicVerdictSection.test.tsx index 26758288..26ed1f3e 100644 --- a/frontend/src/test/components/dynamicVerdictSection.test.tsx +++ b/frontend/src/test/components/dynamicVerdictSection.test.tsx @@ -28,7 +28,9 @@ describe('DynamicVerdictSection', () => { it('renders Confirmed badge', () => { render( , ); expect(screen.getByTestId('verdict-badge-confirmed')).toBeInTheDocument(); @@ -36,7 +38,18 @@ describe('DynamicVerdictSection', () => { it('renders NotConfirmed badge', () => { render(); - expect(screen.getByTestId('verdict-badge-notconfirmed')).toBeInTheDocument(); + expect( + screen.getByTestId('verdict-badge-notconfirmed'), + ).toBeInTheDocument(); + }); + + it('does not crash when the API omits an empty attempts array', () => { + render( + , + ); + expect(screen.getByTestId('verdict-badge-confirmed')).toBeInTheDocument(); }); it('renders Unsupported badge', () => { @@ -51,10 +64,14 @@ describe('DynamicVerdictSection', () => { it('renders Inconclusive badge', () => { render( , ); - expect(screen.getByTestId('verdict-badge-inconclusive')).toBeInTheDocument(); + expect( + screen.getByTestId('verdict-badge-inconclusive'), + ).toBeInTheDocument(); }); it('shows repro panel only for Confirmed status', () => { @@ -64,7 +81,11 @@ describe('DynamicVerdictSection', () => { expect(screen.getByTestId('repro-panel')).toBeInTheDocument(); unmount(); - for (const status of ['NotConfirmed', 'Unsupported', 'Inconclusive'] as const) { + for (const status of [ + 'NotConfirmed', + 'Unsupported', + 'Inconclusive', + ] as const) { const { unmount: u } = render( , ); @@ -92,8 +113,9 @@ describe('DynamicVerdictSection', () => { fireEvent.click(copyBtn); expect(navigator.clipboard.writeText).toHaveBeenCalledOnce(); - const calledWith = (navigator.clipboard.writeText as ReturnType).mock - .calls[0][0] as string; + const calledWith = ( + navigator.clipboard.writeText as ReturnType + ).mock.calls[0][0] as string; expect(calledWith).toContain(findingId); expect(calledWith).toContain('nyx repro'); }); diff --git a/frontend/src/test/components/verdictBadge.test.tsx b/frontend/src/test/components/verdictBadge.test.tsx index 1380bd12..9a55c338 100644 --- a/frontend/src/test/components/verdictBadge.test.tsx +++ b/frontend/src/test/components/verdictBadge.test.tsx @@ -24,7 +24,9 @@ describe('VerdictBadge', () => { it('renders Confirmed badge with flame and correct class', () => { render( , ); const badge = screen.getByTestId('verdict-badge-confirmed'); @@ -41,6 +43,17 @@ describe('VerdictBadge', () => { expect(badge.textContent).not.toContain('🔥'); }); + it('renders when attempts are omitted by the API', () => { + render( + , + ); + expect( + screen.getByTestId('verdict-badge-notconfirmed'), + ).toBeInTheDocument(); + }); + it('renders Unsupported badge with correct class', () => { render( { it('tooltip contains payload for Confirmed', () => { render( , ); const badge = screen.getByTestId('verdict-badge-confirmed'); @@ -100,7 +115,9 @@ describe('VerdictBadge', () => { 'Inconclusive', ]; for (const status of statuses) { - const { unmount } = render(); + const { unmount } = render( + , + ); expect( screen.getByTestId(`verdict-badge-${status.toLowerCase()}`), ).toBeInTheDocument(); diff --git a/src/dynamic/build_sandbox.rs b/src/dynamic/build_sandbox.rs index 93c9f669..d04b85fb 100644 --- a/src/dynamic/build_sandbox.rs +++ b/src/dynamic/build_sandbox.rs @@ -1389,7 +1389,7 @@ struct BuildContainerGuard { impl Drop for BuildContainerGuard { fn drop(&mut self) { let _ = std::process::Command::new(&self.docker) - .args(["stop", "--time=0", &self.name]) + .args(["rm", "-f", &self.name]) .stdout(std::process::Stdio::null()) .stderr(std::process::Stdio::null()) .status(); diff --git a/src/dynamic/framework/adapters/graphql_apollo.rs b/src/dynamic/framework/adapters/graphql_apollo.rs index 24f3e3f5..ad36003b 100644 --- a/src/dynamic/framework/adapters/graphql_apollo.rs +++ b/src/dynamic/framework/adapters/graphql_apollo.rs @@ -1,8 +1,16 @@ //! Phase 21 (Track M.3) — Apollo GraphQL resolver adapter (JS). //! //! Fires when the surrounding source imports `@apollo/server` / the -//! legacy `apollo-server` / `apollo-server-express` package, or the -//! function body sits inside a `Query` / `Mutation` resolver map. +//! legacy `apollo-server` / `apollo-server-express` package AND the +//! function under analysis looks like a resolver: either its name is +//! a key inside a `Query: { … }` / `Mutation: { … }` / `Subscription: +//! { … }` literal block, or its declaration carries the canonical +//! `(parent, args, context, info?)` formal signature. +//! +//! The previous version of this adapter accepted the bare source +//! needle `const resolvers`, which bound every function inside any +//! file that happened to declare such a variable (Phase 21 +//! binding-stealing audit follow-up). use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding}; use crate::evidence::EntryKind; @@ -13,14 +21,6 @@ pub struct GraphqlApolloAdapter; const ADAPTER_NAME: &str = "graphql-apollo"; -fn callee_is_apollo(name: &str) -> bool { - let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name); - matches!( - last, - "ApolloServer" | "startStandaloneServer" | "gql" | "applyMiddleware" | "expressMiddleware" - ) -} - fn source_imports_apollo(file_bytes: &[u8]) -> bool { const NEEDLES: &[&[u8]] = &[ b"@apollo/server", @@ -30,17 +30,96 @@ fn source_imports_apollo(file_bytes: &[u8]) -> bool { b"from 'apollo-server", b"from \"apollo-server", b"new ApolloServer", - b"const resolvers", ]; NEEDLES .iter() .any(|n| file_bytes.windows(n.len()).any(|w| w == *n)) } +fn name_in_resolver_block(name: &str, file_bytes: &[u8]) -> bool { + if name.is_empty() { + return false; + } + if name.starts_with("Query.") + || name.starts_with("Mutation.") + || name.starts_with("Subscription.") + { + return true; + } + let text = match std::str::from_utf8(file_bytes) { + Ok(s) => s, + Err(_) => return false, + }; + let bytes = text.as_bytes(); + for opener in ["Query:", "Mutation:", "Subscription:"] { + let mut cursor = 0; + while let Some(idx) = text[cursor..].find(opener) { + let after_open = cursor + idx + opener.len(); + let rest = &text[after_open..]; + let trimmed = rest.trim_start(); + if !trimmed.starts_with('{') { + cursor = after_open; + continue; + } + let body_start = after_open + (rest.len() - trimmed.len()) + 1; + let mut depth = 1i32; + let mut i = body_start; + while i < bytes.len() && depth > 0 { + match bytes[i] { + b'{' => depth += 1, + b'}' => depth -= 1, + _ => {} + } + i += 1; + } + let inner_end = i.saturating_sub(1).min(bytes.len()); + let inner = &text[body_start..inner_end]; + let key_colon = format!("{name}:"); + let key_paren = format!("{name}("); + if inner.contains(&key_colon) || inner.contains(&key_paren) { + return true; + } + cursor = inner_end; + } + } + false +} + +fn has_resolver_signature(name: &str, file_bytes: &[u8]) -> bool { + if name.is_empty() { + return false; + } + let text = match std::str::from_utf8(file_bytes) { + Ok(s) => s, + Err(_) => return false, + }; + const PARENTS: &[&str] = &["parent", "root", "obj", "_"]; + const ARGS: &[&str] = &["args", "input", "_args", "params", "variables"]; + for p in PARENTS { + for a in ARGS { + let pairs = [ + format!("function {name}({p}, {a}"), + format!("function {name}({p},{a}"), + format!("{name} = function({p}, {a}"), + format!("{name} = function({p},{a}"), + format!("{name} = ({p}, {a}"), + format!("{name} = ({p},{a}"), + format!("{name}: function({p}, {a}"), + format!("{name}: function({p},{a}"), + format!("{name}: ({p}, {a}"), + format!("{name}: ({p},{a}"), + format!("{name}({p}, {a}"), + format!("{name}({p},{a}"), + ]; + if pairs.iter().any(|p| text.contains(p.as_str())) { + return true; + } + } + } + false +} + fn extract_resolver(summary: &FuncSummary) -> (String, String) { - // Best-effort: split a fully-qualified name like `Query.user` into - // `("Query", "user")`. Falls back to ("Query", name) so the - // binding always carries some type_name + field. if let Some((parent, field)) = summary.name.rsplit_once('.') { return (parent.to_owned(), field.to_owned()); } @@ -62,21 +141,23 @@ impl FrameworkAdapter for GraphqlApolloAdapter { _ast: tree_sitter::Node<'_>, file_bytes: &[u8], ) -> Option { - let matches_call = super::any_callee_matches(summary, callee_is_apollo); - let matches_source = source_imports_apollo(file_bytes); - if matches_call || matches_source { - let (type_name, field) = extract_resolver(summary); - Some(FrameworkBinding { - adapter: ADAPTER_NAME.to_owned(), - kind: EntryKind::GraphQLResolver { type_name, field }, - route: None, - request_params: Vec::new(), - response_writer: None, - middleware: Vec::new(), - }) - } else { - None + if !source_imports_apollo(file_bytes) { + return None; } + let in_block = name_in_resolver_block(&summary.name, file_bytes); + let has_sig = has_resolver_signature(&summary.name, file_bytes); + if !(in_block || has_sig) { + return None; + } + let (type_name, field) = extract_resolver(summary); + Some(FrameworkBinding { + adapter: ADAPTER_NAME.to_owned(), + kind: EntryKind::GraphQLResolver { type_name, field }, + route: None, + request_params: Vec::new(), + response_writer: None, + middleware: Vec::new(), + }) } } @@ -109,4 +190,65 @@ mod tests { assert_eq!(field, "user"); } } + + #[test] + fn fires_on_resolver_signature_outside_query_block() { + // Real-world resolver declared as a standalone function with the + // canonical (parent, args, context) signature, exported for use + // in the schema. Matches the dynamic fixture shape. + let src: &[u8] = b"const _NYX_ADAPTER_MARKER = \"require('@apollo/server')\";\n\ + function resolveUser(parent, args, ctx) { return args.id; }\n\ + module.exports = { resolveUser };\n"; + let tree = parse_js(src); + let summary = FuncSummary { + name: "resolveUser".into(), + ..Default::default() + }; + let binding = GraphqlApolloAdapter + .detect(&summary, tree.root_node(), src) + .expect("standalone resolver binds via signature"); + assert_eq!(binding.adapter, "graphql-apollo"); + } + + #[test] + fn does_not_bind_unrelated_helper_in_apollo_file() { + // File imports Apollo and declares a `Query` block on a + // different field, but the analyser is asking about an unrelated + // helper that neither sits in the resolver block nor has the + // canonical (parent, args) shape. + let src: &[u8] = b"const { ApolloServer } = require('@apollo/server');\n\ + function loadConfig() { return { port: 3000 }; }\n\ + const resolvers = { Query: { user: () => 'x' } };\n"; + let tree = parse_js(src); + let summary = FuncSummary { + name: "loadConfig".into(), + ..Default::default() + }; + assert!( + GraphqlApolloAdapter + .detect(&summary, tree.root_node(), src) + .is_none(), + "unrelated helper in an Apollo file must not bind as a resolver", + ); + } + + #[test] + fn does_not_bind_bare_const_resolvers_outside_apollo() { + // File declares `const resolvers = …` without any Apollo import. + // The old needle `const resolvers` bound this; the tightened + // adapter requires a real Apollo source token first. + let src: &[u8] = b"const resolvers = { foo: () => 'bar' };\n\ + function helper() { return 1; }\n"; + let tree = parse_js(src); + let summary = FuncSummary { + name: "helper".into(), + ..Default::default() + }; + assert!( + GraphqlApolloAdapter + .detect(&summary, tree.root_node(), src) + .is_none(), + "`const resolvers` alone must not bind without an Apollo import", + ); + } } diff --git a/src/dynamic/framework/adapters/middleware_rails.rs b/src/dynamic/framework/adapters/middleware_rails.rs index 10ad4f28..68e467b2 100644 --- a/src/dynamic/framework/adapters/middleware_rails.rs +++ b/src/dynamic/framework/adapters/middleware_rails.rs @@ -75,8 +75,7 @@ impl FrameworkAdapter for MiddlewareRailsAdapter { } let has_middleware_shape = source_has_rack_middleware_shape(file_bytes); let name_matches = name_is_rack_entry(&summary.name); - let body_mounts_middleware = - super::any_callee_matches(summary, callee_is_rails_middleware); + let body_mounts_middleware = super::any_callee_matches(summary, callee_is_rails_middleware); let binds = (name_matches && has_middleware_shape) || body_mounts_middleware; if !binds { return None; diff --git a/src/dynamic/framework/adapters/migration_laravel.rs b/src/dynamic/framework/adapters/migration_laravel.rs index 2a96de31..236d88bc 100644 --- a/src/dynamic/framework/adapters/migration_laravel.rs +++ b/src/dynamic/framework/adapters/migration_laravel.rs @@ -21,7 +21,10 @@ const ADAPTER_NAME: &str = "migration-laravel"; fn callee_is_laravel_migration_ddl(name: &str) -> bool { let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name); - matches!(last, "create" | "table" | "drop" | "statement" | "unprepared") + matches!( + last, + "create" | "table" | "drop" | "statement" | "unprepared" + ) } fn source_has_migration_shape(file_bytes: &[u8]) -> bool { diff --git a/src/dynamic/framework/adapters/ruby_hanami.rs b/src/dynamic/framework/adapters/ruby_hanami.rs index d65b3ff2..a00511f2 100644 --- a/src/dynamic/framework/adapters/ruby_hanami.rs +++ b/src/dynamic/framework/adapters/ruby_hanami.rs @@ -30,11 +30,32 @@ fn class_is_hanami_action(class: Node<'_>, bytes: &[u8]) -> bool { || class_includes(class, bytes, "Hanami::Action") } -/// Walk the file for a `# nyx-route: ` comment so -/// fixtures can pin an explicit route without needing the Hanami -/// routes DSL. Defaults to `(GET, "/")` if no marker is found. -fn pinned_route(file_bytes: &[u8], fallback_path: &str) -> (HttpMethod, String) { - let text = std::str::from_utf8(file_bytes).unwrap_or(""); +/// Resolve the route metadata for `class_name`. Tries the inline +/// Hanami v2 routes DSL first (`get "/run", to: "RunAction"` inside a +/// `Hanami::Routes` / `routes do` block that co-exists with the +/// action class in the same file), then the synthetic +/// `# nyx-route: ` comment fixtures rely on, then +/// finally a `(GET, fallback_path)` default. +/// +/// Cross-file routes resolution (`config/routes.rb` + `app/actions//.rb`) +/// still needs a project-level file index on the adapter trait — +/// `FrameworkAdapter::detect` only sees one file at a time. +fn route_for_class( + file_bytes: &[u8], + class_name: &str, + fallback_path: &str, +) -> (HttpMethod, String) { + if let Some(found) = parse_inline_route(file_bytes, class_name) { + return found; + } + if let Some(found) = pinned_comment_route(file_bytes) { + return found; + } + (HttpMethod::GET, fallback_path.to_owned()) +} + +fn pinned_comment_route(file_bytes: &[u8]) -> Option<(HttpMethod, String)> { + let text = std::str::from_utf8(file_bytes).ok()?; for line in text.lines() { let trim = line.trim_start(); if let Some(rest) = trim.strip_prefix("# nyx-route:") { @@ -42,11 +63,70 @@ fn pinned_route(file_bytes: &[u8], fallback_path: &str) -> (HttpMethod, String) let mut parts = rest.split_ascii_whitespace(); if let (Some(verb), Some(path)) = (parts.next(), parts.next()) { let method = HttpMethod::from_ident(verb).unwrap_or(HttpMethod::GET); - return (method, path.to_owned()); + return Some((method, path.to_owned())); } } } - (HttpMethod::GET, fallback_path.to_owned()) + None +} + +/// Parse the Hanami v2 routes DSL when the routes file and the action +/// class co-exist in one file. Recognises lines of the form +/// ` "", to: ""` (or single-quoted variants) and +/// matches `` against `class_name` either by exact match or by +/// its `snake_case` form (Hanami's container-key convention, +/// e.g. `to: "actions.run_action"`). +fn parse_inline_route(file_bytes: &[u8], class_name: &str) -> Option<(HttpMethod, String)> { + let text = std::str::from_utf8(file_bytes).ok()?; + let snake = camel_to_snake(class_name); + for raw_line in text.lines() { + let line = raw_line.trim_start(); + if let Some(parsed) = parse_route_line(line, class_name, &snake) { + return Some(parsed); + } + } + None +} + +fn parse_route_line(line: &str, class_orig: &str, class_snake: &str) -> Option<(HttpMethod, String)> { + let (verb_tok, after) = line.split_once(char::is_whitespace)?; + let method = HttpMethod::from_ident(verb_tok)?; + let after = after.trim_start(); + let (path, rest) = parse_quoted(after)?; + let to_idx = rest.find("to:")?; + let after_to = rest[to_idx + 3..].trim_start(); + let (target, _) = parse_quoted(after_to)?; + let target_last = target.rsplit_once('.').map(|(_, s)| s).unwrap_or(&target); + if target_last == class_orig || target_last == class_snake { + return Some((method, path)); + } + None +} + +fn parse_quoted(s: &str) -> Option<(String, &str)> { + let quote = match s.as_bytes().first() { + Some(b'"') => '"', + Some(b'\'') => '\'', + _ => return None, + }; + let rest = &s[1..]; + let end = rest.find(quote)?; + Some((rest[..end].to_owned(), &rest[end + 1..])) +} + +fn camel_to_snake(s: &str) -> String { + let mut out = String::with_capacity(s.len() + 2); + for (i, ch) in s.char_indices() { + if ch.is_ascii_uppercase() { + if i > 0 { + out.push('_'); + } + out.push(ch.to_ascii_lowercase()); + } else { + out.push(ch); + } + } + out } fn hanami_default_path(class_name: &str) -> String { @@ -89,7 +169,7 @@ impl FrameworkAdapter for RubyHanamiAdapter { } let cls_name = class_name(class, file_bytes).unwrap_or("Entry"); let default = hanami_default_path(cls_name); - let (http_method, path) = pinned_route(file_bytes, &default); + let (http_method, path) = route_for_class(file_bytes, cls_name, &default); let formals = method_formal_names(method, file_bytes); let request_params = bind_path_params(&formals, &path); Some(FrameworkBinding { @@ -196,6 +276,86 @@ mod tests { assert!(matches!(req.source, ParamSource::Implicit)); } + #[test] + fn picks_up_inline_routes_dsl_classname_to() { + // Hanami v2 routes DSL co-located with the action class. The + // routes block names the action class via `to: "RunAction"`; + // the adapter must pick up `POST /run` rather than the + // snake-case default. + let src: &[u8] = b"require 'hanami/routes'\n\ + require 'hanami/action'\n\ + class Routes < Hanami::Routes\n\ + post \"/run\", to: \"RunAction\"\n\ + end\n\ + class RunAction < Hanami::Action\n\ + def call(req)\n\ + 'ok'\n\ + end\n\ + end\n"; + let tree = parse(src); + let binding = RubyHanamiAdapter + .detect(&summary("call"), tree.root_node(), src) + .expect("binding"); + let route = binding.route.unwrap(); + assert_eq!(route.method, HttpMethod::POST); + assert_eq!(route.path, "/run"); + } + + #[test] + fn picks_up_inline_routes_dsl_snake_case_to() { + // Hanami v2 supports `to: "actions.run_action"` container-key + // notation in addition to the bare class name. The adapter + // should match `run_action` against the snake_case of + // `RunAction`. + let src: &[u8] = b"require 'hanami/routes'\n\ + require 'hanami/action'\n\ + class Routes < Hanami::Routes\n\ + get \"/u/:id\", to: \"actions.run_action\"\n\ + end\n\ + class RunAction < Hanami::Action\n\ + def call(req, id)\n\ + id\n\ + end\n\ + end\n"; + let tree = parse(src); + let binding = RubyHanamiAdapter + .detect(&summary("call"), tree.root_node(), src) + .expect("binding"); + let route = binding.route.unwrap(); + assert_eq!(route.method, HttpMethod::GET); + assert_eq!(route.path, "/u/:id"); + let id = binding + .request_params + .iter() + .find(|p| p.name == "id") + .unwrap(); + assert!(matches!(id.source, ParamSource::PathSegment(_))); + } + + #[test] + fn inline_routes_dsl_wins_over_pinned_comment() { + // When both an inline routes-DSL line and a `# nyx-route:` + // comment are present, the routes-DSL line wins because it is + // the canonical source of truth. + let src: &[u8] = b"# nyx-route: GET /old\n\ + require 'hanami/routes'\n\ + class Routes < Hanami::Routes\n\ + put \"/new\", to: \"PutAction\"\n\ + end\n\ + class PutAction < Hanami::Action\n\ + def call(req)\n\ + 'ok'\n\ + end\n\ + end\n"; + let tree = parse(src); + let binding = RubyHanamiAdapter + .detect(&summary("call"), tree.root_node(), src) + .expect("binding"); + let route = binding.route.unwrap(); + assert_eq!(route.method, HttpMethod::PUT); + assert_eq!(route.path, "/new"); + } + #[test] fn skips_non_hanami_classes() { let src: &[u8] = diff --git a/src/dynamic/framework/adapters/scheduled_sidekiq.rs b/src/dynamic/framework/adapters/scheduled_sidekiq.rs index 7d6189e3..81492fed 100644 --- a/src/dynamic/framework/adapters/scheduled_sidekiq.rs +++ b/src/dynamic/framework/adapters/scheduled_sidekiq.rs @@ -1,8 +1,18 @@ //! Phase 21 (Track M.3) — Ruby Sidekiq worker / scheduled-job adapter. //! -//! Fires when the surrounding source includes the Sidekiq worker -//! mixin (`include Sidekiq::Worker` / `Sidekiq::Job`) or invokes a -//! Sidekiq scheduling callee (`perform_async`, `perform_in`). +//! Fires when the surrounding source carries a Sidekiq shape marker +//! (`include Sidekiq::Worker` / `Sidekiq::Job` / `sidekiq_options` / +//! `require 'sidekiq'`) AND either the function under analysis is the +//! worker entry point (`perform` / `perform_async` / `perform_in`) or +//! its body schedules a Sidekiq job (calls `perform_async` / +//! `perform_in`). +//! +//! The previous version of this adapter matched the bare callee name +//! `set` as a scheduling signal, which collided with unrelated methods +//! like `Set#add` / `Hash#[]=` (Phase 21 binding-stealing audit +//! follow-up). `set` is now recognised only as part of the Sidekiq +//! shape gate; binding additionally requires the function itself to be +//! a worker entry or to call the real scheduling callees. use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding}; use crate::evidence::EntryKind; @@ -13,12 +23,16 @@ pub struct ScheduledSidekiqAdapter; const ADAPTER_NAME: &str = "scheduled-sidekiq"; -fn callee_is_sidekiq(name: &str) -> bool { +fn callee_schedules_sidekiq(name: &str) -> bool { let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name); - matches!(last, "perform_async" | "perform_in" | "perform" | "set") + matches!(last, "perform_async" | "perform_in") } -fn source_imports_sidekiq(file_bytes: &[u8]) -> bool { +fn name_is_sidekiq_entry(name: &str) -> bool { + matches!(name, "perform" | "perform_async" | "perform_in") +} + +fn source_has_sidekiq_shape(file_bytes: &[u8]) -> bool { const NEEDLES: &[&[u8]] = &[ b"include Sidekiq::Worker", b"include Sidekiq::Job", @@ -75,22 +89,25 @@ impl FrameworkAdapter for ScheduledSidekiqAdapter { _ast: tree_sitter::Node<'_>, file_bytes: &[u8], ) -> Option { - let matches_call = super::any_callee_matches(summary, callee_is_sidekiq); - let matches_source = source_imports_sidekiq(file_bytes); - if matches_call || matches_source { - Some(FrameworkBinding { - adapter: ADAPTER_NAME.to_owned(), - kind: EntryKind::ScheduledJob { - schedule: extract_schedule(file_bytes), - }, - route: None, - request_params: Vec::new(), - response_writer: None, - middleware: Vec::new(), - }) - } else { - None + let has_shape = source_has_sidekiq_shape(file_bytes); + if !has_shape { + return None; } + let name_matches = name_is_sidekiq_entry(&summary.name); + let body_schedules = super::any_callee_matches(summary, callee_schedules_sidekiq); + if !(name_matches || body_schedules) { + return None; + } + Some(FrameworkBinding { + adapter: ADAPTER_NAME.to_owned(), + kind: EntryKind::ScheduledJob { + schedule: extract_schedule(file_bytes), + }, + route: None, + request_params: Vec::new(), + response_writer: None, + middleware: Vec::new(), + }) } } @@ -119,4 +136,42 @@ mod tests { assert_eq!(binding.adapter, "scheduled-sidekiq"); assert!(matches!(binding.kind, EntryKind::ScheduledJob { .. })); } + + #[test] + fn does_not_bind_set_method_in_non_sidekiq_file() { + // Method named `set` on a class with no Sidekiq tokens anywhere + // — used to bind because the prior `callee_is_sidekiq` matched + // the bare callee `set`, colliding with `Set#add` / `Hash#[]=`. + let src: &[u8] = b"class MySet\n def set(key, val)\n @h[key] = val\n end\nend\n"; + let tree = parse_ruby(src); + let summary = FuncSummary { + name: "set".into(), + ..Default::default() + }; + assert!( + ScheduledSidekiqAdapter + .detect(&summary, tree.root_node(), src) + .is_none(), + "bare `set` method outside Sidekiq scope must not bind", + ); + } + + #[test] + fn does_not_bind_unrelated_method_inside_sidekiq_file() { + // Sidekiq-flavoured file but the analyser is asking about an + // unrelated helper that neither shares the worker entry name + // nor calls `perform_async` / `perform_in`. + let src: &[u8] = b"# include Sidekiq::Worker\nclass MySet\n def set(key)\n @s.add(key)\n end\nend\n"; + let tree = parse_ruby(src); + let summary = FuncSummary { + name: "set".into(), + ..Default::default() + }; + assert!( + ScheduledSidekiqAdapter + .detect(&summary, tree.root_node(), src) + .is_none(), + "non-worker helper in a Sidekiq file must not bind", + ); + } } diff --git a/src/dynamic/sandbox/mod.rs b/src/dynamic/sandbox/mod.rs index 3637e7f7..ccadc62e 100644 --- a/src/dynamic/sandbox/mod.rs +++ b/src/dynamic/sandbox/mod.rs @@ -19,8 +19,8 @@ //! backend is intentionally weaker and is for dev iteration only. //! //! All public state on the sandbox is owned by the caller — there is no -//! global runtime, no daemon. Containers are stopped and removed when the -//! process exits. +//! daemon. Containers are stopped and removed when the caller explicitly +//! cleans up or when the process exits. use crate::dynamic::harness::BuiltHarness; use crate::dynamic::oob::OobListener; @@ -679,30 +679,37 @@ fn container_registry() -> &'static dashmap::DashMap { }) } -/// extern "C" fn registered via atexit(3). -/// -/// Stops all containers in the registry with --time=0 (immediate SIGKILL). -/// Runs on normal process exit and on `std::process::exit()`. Does not run -/// on SIGKILL; the `sleep 300` in started containers bounds the leak window. -#[cfg(unix)] -extern "C" fn stop_all_containers() { +/// Stop and remove every docker container currently tracked by the verifier. +pub(crate) fn cleanup_docker_containers() { let Some(reg) = CONTAINER_REGISTRY.get() else { return; }; let bin = std::env::var("NYX_DOCKER_BIN").unwrap_or_else(|_| "docker".to_owned()); - for entry in reg.iter() { + let names: Vec = reg.iter().map(|entry| entry.key().clone()).collect(); + for name in names { // Remove OOB egress filter before stopping the container so stale // iptables rules don't accumulate across scans. #[cfg(target_os = "linux")] - remove_oob_egress_filter(entry.key()); + remove_oob_egress_filter(&name); let _ = std::process::Command::new(&bin) - .args(["stop", "--time=0", entry.key()]) + .args(["rm", "-f", &name]) .stdout(std::process::Stdio::null()) .stderr(std::process::Stdio::null()) .status(); + reg.remove(&name); } } +/// extern "C" fn registered via atexit(3). +/// +/// Stops all containers in the registry with an immediate force remove. +/// Runs on normal process exit and on `std::process::exit()`. Does not run +/// on SIGKILL; the `sleep 300` in started containers bounds the leak window. +#[cfg(unix)] +extern "C" fn stop_all_containers() { + cleanup_docker_containers(); +} + #[cfg(unix)] fn register_exit_cleanup() { unsafe extern "C" { diff --git a/src/server/jobs.rs b/src/server/jobs.rs index accd7b62..f0dae6e7 100644 --- a/src/server/jobs.rs +++ b/src/server/jobs.rs @@ -268,6 +268,8 @@ impl JobManager { } Ok(diags) }); + #[cfg(feature = "dynamic")] + crate::dynamic::sandbox::cleanup_docker_containers(); let elapsed = start.elapsed().as_secs_f64(); // Collect snapshots and do expensive work (post-processing, diff --git a/src/server/models.rs b/src/server/models.rs index e8c8bb01..7f382d7b 100644 --- a/src/server/models.rs +++ b/src/server/models.rs @@ -234,7 +234,11 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues { } rules.insert(d.id.clone()); statuses.insert(status_for_diag(d).to_string()); - verification_statuses.insert(dynamic_status_for_diag(d).unwrap_or("Unverified").to_string()); + verification_statuses.insert( + dynamic_status_for_diag(d) + .unwrap_or("Unverified") + .to_string(), + ); } // Always include all valid triage states so the filter dropdown is complete diff --git a/src/server/routes/findings.rs b/src/server/routes/findings.rs index ed99abb0..4482518d 100644 --- a/src/server/routes/findings.rs +++ b/src/server/routes/findings.rs @@ -5,8 +5,8 @@ use crate::database::index::Indexer; use crate::server::app::{AppState, CachedFindings}; use crate::server::error::{ApiError, ApiResult}; use crate::server::models::{ - FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag, - finding_from_diag_with_detail, dynamic_status_label, overlay_triage_states, summarize_findings, + FilterValues, FindingSummary, FindingView, collect_filter_values, dynamic_status_label, + finding_from_diag, finding_from_diag_with_detail, overlay_triage_states, summarize_findings, }; use axum::extract::{Path, Query, State}; use axum::routing::get; diff --git a/src/server/routes/scans.rs b/src/server/routes/scans.rs index a47d17e4..d011a5ed 100644 --- a/src/server/routes/scans.rs +++ b/src/server/routes/scans.rs @@ -45,6 +45,10 @@ struct StartScanRequest { verify: Option, /// Also verify `Confidence < Medium` findings. Default false. verify_all_confidence: Option, + /// Dynamic verification backend: "auto" | "docker" | "process" | "firecracker". + verify_backend: Option, + /// Process-backend hardening profile: "standard" | "strict". + harden_profile: Option, #[allow(dead_code)] languages: Option>, #[allow(dead_code)] @@ -89,6 +93,38 @@ fn apply_engine_profile( Ok(()) } +fn apply_verify_backend( + config: &mut crate::utils::config::Config, + backend: &str, +) -> Result<(), (StatusCode, Json)> { + let backend = backend.to_ascii_lowercase(); + match backend.as_str() { + "auto" | "docker" | "process" | "firecracker" => { + config.scanner.verify_backend = backend; + Ok(()) + } + _ => Err(bad_request( + "verify_backend must be one of: auto, docker, process, firecracker", + )), + } +} + +fn apply_harden_profile( + config: &mut crate::utils::config::Config, + profile: &str, +) -> Result<(), (StatusCode, Json)> { + let profile = profile.to_ascii_lowercase(); + match profile.as_str() { + "standard" | "strict" => { + config.scanner.harden_profile = profile; + Ok(()) + } + _ => Err(bad_request( + "harden_profile must be one of: standard, strict", + )), + } +} + async fn start_scan( State(state): State, body: Option>, @@ -125,6 +161,12 @@ async fn start_scan( if req.verify_all_confidence == Some(true) { config.scanner.verify_all_confidence = true; } + if let Some(ref backend) = req.verify_backend { + apply_verify_backend(&mut config, backend)?; + } + if let Some(ref profile) = req.harden_profile { + apply_harden_profile(&mut config, profile)?; + } #[cfg(not(feature = "dynamic"))] if config.scanner.verify || config.scanner.verify_all_confidence {