[pitboss/grind] deferred session-0030 (20260521T201327Z-3848)

src/dynamic/corpus/open_redirect/go.rs

@@ -10,6 +10,15 @@
 //! Benign control: same shape but redirects to the same-origin path
 //! `/dashboard`, so the captured `location` has no authority
 //! component and the predicate stays clear.
+//!
+//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`] the harness follows the
+//! captured `Location:` URL via a real `net/http.Get` against the
+//! loopback nonce URL so the listener records the per-finding
+//! callback.  Ordered first so the runner exercises the OOB observation
+//! path before the absolute-URL vuln below triggers and short-circuits
+//! iteration; runs without a listener skip cleanly (runner
+//! `oob_nonce_slot` branch).
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
@@ -17,6 +26,26 @@ use crate::dynamic::oracle::ProbePredicate;
 const ALLOWLIST: &[&str] = &["example.com"];
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        // `bytes` is unused when `oob_nonce_slot = true`; the runner
+        // substitutes a per-finding loopback URL (see runner.rs:405-413).
+        bytes: b"",
+        label: "open-redirect-go-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/open_redirect/go/vuln.go"],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce open-redirect payload self-confirms via the per-finding listener \
+             callback when the harness follows the captured Location URL with net/http.Get; \
+             no benign URL can hit the nonce path.",
+        ),
+    },
     CuratedPayload {
         bytes: b"https://attacker.test/",
         label: "open-redirect-go-absolute",

src/dynamic/corpus/open_redirect/rust.rs

@@ -9,6 +9,15 @@
 //! Benign control: same shape but redirects to the same-origin path
 //! `/dashboard`, so the captured `location` has no authority
 //! component and the predicate stays clear.
+//!
+//! OOB-nonce variant (added 2026-05-22): when the runner attaches an
+//! [`crate::dynamic::oob::OobListener`] the harness follows the
+//! captured `Location:` URL via a zero-dep `std::net::TcpStream`
+//! `GET / HTTP/1.0` against the loopback nonce URL so the listener
+//! records the per-finding callback.  Ordered first so the runner
+//! exercises the OOB observation path before the absolute-URL vuln
+//! below triggers and short-circuits iteration; runs without a
+//! listener skip cleanly (runner `oob_nonce_slot` branch).
 
 use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
 use crate::dynamic::oracle::ProbePredicate;
@@ -16,6 +25,26 @@ use crate::dynamic::oracle::ProbePredicate;
 const ALLOWLIST: &[&str] = &["example.com"];
 
 pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        // `bytes` is unused when `oob_nonce_slot = true`; the runner
+        // substitutes a per-finding loopback URL (see runner.rs:405-413).
+        bytes: b"",
+        label: "open-redirect-rust-oob-nonce",
+        oracle: Oracle::OobCallback { host: "127.0.0.1" },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/open_redirect/rust/vuln.rs"],
+        oob_nonce_slot: true,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: Some(
+            "OOB-nonce open-redirect payload self-confirms via the per-finding listener \
+             callback when the harness follows the captured Location URL with a zero-dep \
+             TcpStream-based GET; no benign URL can hit the nonce path.",
+        ),
+    },
     CuratedPayload {
         bytes: b"https://attacker.test/",
         label: "open-redirect-rust-absolute",