[pitboss] phase 11: Track J.9 + Track L.9 — CRYPTO, JSON_PARSE, UNAUTHORIZED_ID, DATA_EXFIL corpora

tests/dynamic_fixtures/json_parse/javascript/benign.js

@@ -0,0 +1,16 @@
+// Phase 11 (Track J.9) — JavaScript JSON_PARSE benign control fixture.
+//
+// JSON.parse then deep-merge into a `Object.create(null)` target, the
+// canonical mitigation; the prototype-less target cannot reach
+// `Object.prototype` so the canary never fires.
+function run(value) {
+    const parsed = JSON.parse(value);
+    const target = Object.create(null);
+    for (const k of Object.keys(parsed)) {
+        if (k === '__proto__' || k === 'constructor') continue;
+        target[k] = parsed[k];
+    }
+    return target;
+}
+
+module.exports = { run };

tests/dynamic_fixtures/json_parse/javascript/vuln.js

@@ -0,0 +1,24 @@
+// Phase 11 (Track J.9) — JavaScript JSON_PARSE vuln fixture.
+//
+// JSON.parse the attacker bytes then naive deep-merge into a vanilla
+// target object.  A `__proto__` key walks into `Object.prototype` and
+// trips the canary trap.
+function run(value) {
+    const parsed = JSON.parse(value);
+    const target = {};
+    deepMerge(target, parsed);
+    return target;
+}
+
+function deepMerge(t, s) {
+    for (const k of Object.keys(s)) {
+        if (s[k] !== null && typeof s[k] === 'object') {
+            if (typeof t[k] !== 'object' || t[k] === null) t[k] = {};
+            deepMerge(t[k], s[k]);
+        } else {
+            t[k] = s[k];
+        }
+    }
+}
+
+module.exports = { run };

tests/dynamic_fixtures/json_parse/python/benign.py

@@ -0,0 +1,10 @@
+# Phase 11 (Track J.9) — Python JSON_PARSE benign control fixture.
+#
+# json.loads then merge into a fresh `dict` rather than mutating the
+# shared sentinel, so the canary trap on `_SHARED` cannot fire.
+import json
+
+
+def run(value):
+    parsed = json.loads(value)
+    return dict(parsed)

tests/dynamic_fixtures/json_parse/python/vuln.py

@@ -0,0 +1,20 @@
+# Phase 11 (Track J.9) — Python JSON_PARSE vuln fixture.
+#
+# json.loads the attacker bytes then mutate a shared sentinel via
+# attribute pollution; the harness's instrumented setattr trap
+# observes the `__nyx_canary` write.
+import json
+
+
+class _Sentinel:
+    pass
+
+
+_SHARED = _Sentinel()
+
+
+def run(value):
+    parsed = json.loads(value)
+    for k, v in parsed.items():
+        setattr(_SHARED, k, v)
+    return _SHARED

tests/dynamic_fixtures/json_parse/ruby/benign.rb

@@ -0,0 +1,9 @@
+# Phase 11 (Track J.9) — Ruby JSON_PARSE benign control fixture.
+#
+# JSON.parse then merge into a freshly allocated `Hash`, so the
+# canary trap on `SHARED` cannot fire.
+require 'json'
+
+def run(value)
+  JSON.parse(value).dup
+end

tests/dynamic_fixtures/json_parse/ruby/vuln.rb

@@ -0,0 +1,15 @@
+# Phase 11 (Track J.9) — Ruby JSON_PARSE vuln fixture.
+#
+# JSON.parse the attacker bytes then recursively merge into a shared
+# `OpenStruct`; the harness's instrumented `method_missing=` trap
+# observes the `__nyx_canary` write.
+require 'json'
+require 'ostruct'
+
+SHARED = OpenStruct.new
+
+def run(value)
+  parsed = JSON.parse(value)
+  parsed.each { |k, v| SHARED[k] = v }
+  SHARED
+end