[pitboss/grind] deferred session-0014 (20260516T052512Z-20f8)

tests/dynamic_fixtures/python/async/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 13

tests/dynamic_fixtures/python/celery/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 17

tests/dynamic_fixtures/python/cli/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 14

tests/dynamic_fixtures/python/django/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 15

tests/dynamic_fixtures/python/fastapi/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 16

tests/dynamic_fixtures/python/flask/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 18

tests/dynamic_fixtures/python/generic/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 12

tests/dynamic_fixtures/python/pytest/vuln.py.golden_harness.py

@@ -141,6 +141,29 @@ def __nyx_stub_sql_record(query, **detail):
     except OSError:
         pass
 
+# Phase 10 (Track D.3) HTTP recording helper.  When the verifier spawned an
+# HttpStub it publishes the side-channel log path through NYX_HTTP_LOG; a
+# sink call site whose outbound request never reaches the on-the-wire
+# listener (DNS-mocked, network-isolated sandbox, pre-flight check) can
+# call this helper to surface the attempted call.  Format matches the SQL
+# helper so the host-side merger parses both streams identically.
+def __nyx_stub_http_record(method, url, body=None, **detail):
+    import os
+    p = os.environ.get("NYX_HTTP_LOG")
+    if not p:
+        return
+    try:
+        with open(p, "a") as _f:
+            _f.write('# method: %s\n' % str(method))
+            _f.write('# url: %s\n' % str(url))
+            if body is not None:
+                _f.write('# body: %s\n' % str(body))
+            for k, v in detail.items():
+                _f.write('# %s: %s\n' % (str(k), str(v)))
+            _f.write('%s %s\n' % (str(method), str(url)))
+    except OSError:
+        pass
+
 
 _NYX_SINK_FILE = "<TMPDIR>/<ENTRY_FILE>"
 _NYX_SINK_LINE = 14

tests/dynamic_fixtures/stubs_e2e/python/http/vuln/main.py

@@ -0,0 +1,36 @@
+"""Phase 10 (Track D.3) stub-end-to-end fixture: Python + HTTP.
+
+The verifier publishes:
+
+* ``NYX_HTTP_ENDPOINT`` — `http://127.0.0.1:{port}` the HttpStub listens on.
+* ``NYX_HTTP_LOG``      — companion log path the harness appends attempted
+  outbound calls to so the host HttpStub picks them up on
+  ``drain_events()`` even when the request bypasses the on-the-wire
+  listener (DNS-mocked, network-isolated sandbox, pre-flight check).
+
+This fixture exercises the side-channel path: it records an attempted
+SSRF call to ``http://169.254.169.254/latest/meta-data/`` through the
+Python shim helper ``__nyx_stub_http_record`` without issuing the
+actual network call.  The companion test in
+``tests/stubs_e2e_per_lang.rs`` splices in
+``crate::dynamic::lang::python::probe_shim`` ahead of this source, runs
+it with both env vars set, and asserts the stub captured the attempt.
+"""
+
+import os
+
+
+def main():
+    method = "GET"
+    url = "http://169.254.169.254/latest/meta-data/"
+    body = ""
+    # Record the attempted call through the probe shim so the host
+    # HttpStub captures it on the next drain_events() call even when
+    # the harness never reaches the on-the-wire listener.
+    __nyx_stub_http_record(method, url, body, driver="urllib")
+    # Echo so the host can confirm the driver ran end-to-end.
+    print(os.environ.get("NYX_HTTP_ENDPOINT", "no-endpoint"))
+
+
+if __name__ == "__main__":
+    main()