[pitboss] phase 05: Track J.3 + Track L.3 — XXE corpus + DocumentBuilder / lxml / libxml / SimpleXML adapters

tests/dynamic_fixtures/xxe/php/benign.php

@@ -0,0 +1,10 @@
+<?php
+// Phase 05 (Track J.3) — PHP XXE benign fixture.
+//
+// Same parser surface as `vuln.php` but the entity loader stays
+// disabled and the LIBXML_NOENT flag is omitted, so the same payload's
+// `<!ENTITY>` block is rejected and no entity body is substituted.
+function run(string $body) {
+    libxml_disable_entity_loader(true);
+    return simplexml_load_string($body);
+}

tests/dynamic_fixtures/xxe/php/vuln.php

@@ -0,0 +1,11 @@
+<?php
+// Phase 05 (Track J.3) — PHP XXE vuln fixture.
+//
+// The function pulls XML off the request and feeds it to
+// `simplexml_load_string` after re-enabling the libxml entity loader
+// — so any `<!ENTITY xxe SYSTEM "file:///…">` in the payload is
+// resolved and its body substituted into the parsed document.
+function run(string $body) {
+    libxml_disable_entity_loader(false);
+    return simplexml_load_string($body, "SimpleXMLElement", LIBXML_NOENT);
+}