[pitboss] phase 11: Track J.9 + Track L.9 — CRYPTO, JSON_PARSE, UNAUTHORIZED_ID, DATA_EXFIL corpora

tests/dynamic_fixtures/unauthorized_id/python/benign.py

@@ -0,0 +1,12 @@
+# Phase 11 (Track J.9) — Python UNAUTHORIZED_ID benign control fixture.
+#
+# Compares `owner_id` against the authenticated caller and returns
+# `None` for any boundary-crossing request.
+_STORE = {"alice": {"email": "alice@x"}, "bob": {"email": "bob@x"}}
+_CALLER_ID = "alice"
+
+
+def run(owner_id):
+    if owner_id != _CALLER_ID:
+        return None
+    return _STORE.get(owner_id)

tests/dynamic_fixtures/unauthorized_id/python/vuln.py

@@ -0,0 +1,11 @@
+# Phase 11 (Track J.9) — Python UNAUTHORIZED_ID vuln fixture.
+#
+# Looks up a record by `owner_id` without checking it against the
+# authenticated caller; an attacker who supplies another user's id
+# reads that user's record.
+_STORE = {"alice": {"email": "alice@x"}, "bob": {"email": "bob@x"}}
+_CALLER_ID = "alice"
+
+
+def run(owner_id):
+    return _STORE.get(owner_id)