[pitboss] phase 11: Track J.9 + Track L.9 — CRYPTO, JSON_PARSE, UNAUTHORIZED_ID, DATA_EXFIL corpora

src/dynamic/corpus/json_parse/javascript.rs

@@ -0,0 +1,51 @@
+//! JavaScript `Cap::JSON_PARSE` payloads — `JSON.parse` then deep
+//! assign / `Object.assign` chain.
+//!
+//! Same canary oracle as the Phase 10 PROTOTYPE_POLLUTION corpus
+//! ([`crate::dynamic::oracle::ProbePredicate::PrototypeCanaryTouched`]).
+//! The harness routes both payloads through `JSON.parse` first to
+//! exercise the parse-then-assign flow specifically (whereas the
+//! Phase 10 corpus passes the JSON literal directly to the deep-merge
+//! sink without an intervening parse).
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const CANARY: &str = "__nyx_canary";
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: br#"{"__proto__":{"__nyx_canary":"pwned"}}"#,
+        label: "json-parse-js-proto-key",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse/javascript/vuln.js"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-js-benign",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: br#"{"data":{"__nyx_canary":"pwned"}}"#,
+        label: "json-parse-js-benign",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse/javascript/benign.js"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];

src/dynamic/corpus/json_parse/mod.rs

@@ -0,0 +1,21 @@
+//! JSON-parse pollution (`Cap::JSON_PARSE`) per-language payload
+//! slices.
+//!
+//! Phase 11 (Track J.9) reuses the prototype-canary oracle from
+//! Phase 10 across the three languages whose JSON parsers have a
+//! published pollution surface: JavaScript (`JSON.parse` then deep
+//! assign), Python (`json.loads` then `dict.update` /
+//! `setattr`-driven attribute pollution), Ruby (`JSON.parse` then
+//! recursive merge).  Every vuln payload binds a JSON literal whose
+//! top-level key is `__proto__`; the per-language harness's
+//! instrumented canary trap (`Object.prototype.__nyx_canary` in JS,
+//! a `dict`/class-scoped sentinel in Python, an `Object.prepend`
+//! flag in Ruby) records a
+//! [`crate::dynamic::probe::ProbeKind::PrototypePollution`] probe
+//! once the malicious key reaches the shared chain.  The paired
+//! benign control sends a JSON literal whose top-level key is the
+//! regular property `data`, leaving the chain untouched.
+
+pub mod javascript;
+pub mod python;
+pub mod ruby;

src/dynamic/corpus/json_parse/python.rs

@@ -0,0 +1,45 @@
+//! Python `Cap::JSON_PARSE` payloads — `json.loads` then
+//! attribute-pollution via `setattr` / `dict.update` on a shared
+//! sentinel object.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const CANARY: &str = "__nyx_canary";
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: br#"{"__proto__":{"__nyx_canary":"pwned"}}"#,
+        label: "json-parse-python-proto-key",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse/python/vuln.py"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-python-benign",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: br#"{"data":{"__nyx_canary":"pwned"}}"#,
+        label: "json-parse-python-benign",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse/python/benign.py"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];

src/dynamic/corpus/json_parse/ruby.rs

@@ -0,0 +1,44 @@
+//! Ruby `Cap::JSON_PARSE` payloads — `JSON.parse` then recursive
+//! `Hash#deep_merge!` on a shared sentinel object.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const CANARY: &str = "__nyx_canary";
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: br#"{"__proto__":{"__nyx_canary":"pwned"}}"#,
+        label: "json-parse-ruby-proto-key",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse/ruby/vuln.rb"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-ruby-benign",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: br#"{"data":{"__nyx_canary":"pwned"}}"#,
+        label: "json-parse-ruby-benign",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::PrototypeCanaryTouched { canary: CANARY }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse/ruby/benign.rb"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];