[pitboss] phase 05: Track J.3 + Track L.3 — XXE corpus + DocumentBuilder / lxml / libxml / SimpleXML adapters

2026-06-15 20:05:13 +02:00 · 2026-05-17 20:39:12 -05:00 · 2026-05-17 20:39:12 -05:00 · 4de925c3ef
commit 4de925c3ef
parent 637b733928
35 changed files with 1985 additions and 23 deletions
--- a/src/dynamic/corpus/xxe/java.rs
+++ b/src/dynamic/corpus/xxe/java.rs
@ -0,0 +1,67 @@
+//! Java `Cap::XXE` payloads — `DocumentBuilderFactory` / `SAXParser`.
+//!
+//! Vuln payload: an XML document declaring an external entity that
+//! the harness's instrumented `DocumentBuilder.parse` resolves and
+//! substitutes inside `<data>` — the parser writes a
+//! `ProbeKind::Xxe { entity_expanded: true }` record once it sees the
+//! entity body materialise.
+//!
+//! Benign control: a well-formed XML document with no doctype
+//! declaration so the parser has no entity to resolve.  The harness's
+//! instrumented parser writes `entity_expanded: false`, the oracle
+//! does not fire, and the differential rule (§4.1) stays clean.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: br#"<?xml version="1.0"?>
+<!DOCTYPE data [
+  <!ENTITY xxe SYSTEM "file:///etc/hostname">
+]>
+<data>&xxe;</data>"#,
+        label: "xxe-java-doctype-entity",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::XxeEntityExpanded {
+                require_expanded: true,
+            }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 9,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/java/vuln.java",
+        ],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::XxeEntityExpanded {
+            require_expanded: true,
+        }],
+        benign_control: Some(PayloadRef {
+            label: "xxe-java-benign",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: br#"<?xml version="1.0"?>
+<data>hello</data>"#,
+        label: "xxe-java-benign",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::XxeEntityExpanded {
+                require_expanded: true,
+            }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 9,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &[
+            "tests/dynamic_fixtures/xxe/java/benign.java",
+        ],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];