apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] sweep after phase 11: 2 deferred items resolved

Browse source
This commit is contained in:
pitboss 2026-05-18 10:17:32 -05:00
parent d91351a6b1
commit 7509cfe6fd
12 changed files with 412 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

44
src/dynamic/corpus/cmdi/c.rs Normal file
View file

@ -0,0 +1,44 @@
//! C `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-c",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/c/cmdi/cmdi_exec.c",
"tests/benchmark/corpus/c/cmdi/cmdi_fgets.c",
"tests/benchmark/corpus/c/cmdi/cmdi_popen.c",
"tests/benchmark/corpus/c/cmdi/cmdi_system.c",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-c" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-c",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/c/cmdi/cmdi_exec.c",
"tests/benchmark/corpus/c/cmdi/cmdi_fgets.c",
"tests/benchmark/corpus/c/cmdi/cmdi_popen.c",
"tests/benchmark/corpus/c/cmdi/cmdi_system.c",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

50
src/dynamic/corpus/cmdi/cpp.rs Normal file
View file

@ -0,0 +1,50 @@
//! C++ `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-cpp",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/cpp/cmdi/cmdi_class_inline_method.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_exec.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_getline.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_lambda_passthrough.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_popen.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_stl_vector_string.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_system.cpp",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-cpp" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-cpp",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/cpp/cmdi/cmdi_class_inline_method.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_exec.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_getline.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_lambda_passthrough.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_popen.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_stl_vector_string.cpp",
"tests/benchmark/corpus/cpp/cmdi/cmdi_system.cpp",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

44
src/dynamic/corpus/cmdi/go.rs Normal file
View file

@ -0,0 +1,44 @@
//! Go `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-go",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/go/cmdi/cmdi_direct.go",
"tests/benchmark/corpus/go/cmdi/cmdi_indirect.go",
"tests/benchmark/corpus/go/cmdi/cmdi_unvalidated_queue_element.go",
"tests/benchmark/corpus/go/cmdi/vuln_error_log_then_sink.go",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-go" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-go",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/go/cmdi/cmdi_direct.go",
"tests/benchmark/corpus/go/cmdi/cmdi_indirect.go",
"tests/benchmark/corpus/go/cmdi/cmdi_unvalidated_queue_element.go",
"tests/benchmark/corpus/go/cmdi/vuln_error_log_then_sink.go",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

40
src/dynamic/corpus/cmdi/java.rs Normal file
View file

@ -0,0 +1,40 @@
//! Java `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-java",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/java/cmdi/CmdiDirect.java",
"tests/benchmark/corpus/java/cmdi/CmdiIndirect.java",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-java" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-java",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/java/cmdi/CmdiDirect.java",
"tests/benchmark/corpus/java/cmdi/CmdiIndirect.java",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

40
src/dynamic/corpus/cmdi/javascript.rs Normal file
View file

@ -0,0 +1,40 @@
//! JavaScript `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-javascript",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/javascript/cmdi/cmdi_direct.js",
"tests/benchmark/corpus/javascript/cmdi/cmdi_indirect.js",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-javascript" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-javascript",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/javascript/cmdi/cmdi_direct.js",
"tests/benchmark/corpus/javascript/cmdi/cmdi_indirect.js",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

9
src/dynamic/corpus/cmdi/mod.rs
View file

@ -1,3 +1,12 @@
//! Command-injection (`Cap::CODE_EXEC`) per-language payload slices.
pub mod c;
pub mod cpp;
pub mod go;
pub mod java;
pub mod javascript;
pub mod php;
pub mod python;
pub mod ruby;
pub mod rust;
pub mod typescript;

40
src/dynamic/corpus/cmdi/php.rs Normal file
View file

@ -0,0 +1,40 @@
//! PHP `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-php",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/php/cmdi/cmdi_direct.php",
"tests/benchmark/corpus/php/cmdi/cmdi_indirect.php",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-php" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-php",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/php/cmdi/cmdi_direct.php",
"tests/benchmark/corpus/php/cmdi/cmdi_indirect.php",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

46
src/dynamic/corpus/cmdi/python.rs Normal file
View file

@ -0,0 +1,46 @@
//! Python `Cap::CODE_EXEC` payloads.
//!
//! Same shell-syntax bytes as [`super::rust::PAYLOADS`]; the per-language
//! slice exists so the lookup is a per-language assertion rather than a
//! cross-language fallback through [`super::super::registry::payloads_for`].
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-python",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/python/cmdi/cmdi_direct.py",
"tests/benchmark/corpus/python/cmdi/cmdi_indirect.py",
"tests/benchmark/corpus/python/cmdi/cmdi_popen_shell.py",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-python" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-python",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/python/cmdi/cmdi_direct.py",
"tests/benchmark/corpus/python/cmdi/cmdi_indirect.py",
"tests/benchmark/corpus/python/cmdi/cmdi_popen_shell.py",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

42
src/dynamic/corpus/cmdi/ruby.rs Normal file
View file

@ -0,0 +1,42 @@
//! Ruby `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-ruby",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/ruby/cmdi/cmdi_backtick.rb",
"tests/benchmark/corpus/ruby/cmdi/cmdi_kernel_open.rb",
"tests/benchmark/corpus/ruby/cmdi/cmdi_system.rb",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-ruby" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-ruby",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/ruby/cmdi/cmdi_backtick.rb",
"tests/benchmark/corpus/ruby/cmdi/cmdi_kernel_open.rb",
"tests/benchmark/corpus/ruby/cmdi/cmdi_system.rb",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

40
src/dynamic/corpus/cmdi/typescript.rs Normal file
View file

@ -0,0 +1,40 @@
//! TypeScript `Cap::CODE_EXEC` payloads.
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
pub const PAYLOADS: &[CuratedPayload] = &[
CuratedPayload {
bytes: b"; echo NYX_PWN_CMDI",
label: "cmdi-echo-marker-typescript",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: false,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/typescript/cmdi/cmdi_async_wrapper.ts",
"tests/benchmark/corpus/typescript/cmdi/cmdi_exec_template.ts",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: Some(PayloadRef { label: "cmdi-benign-typescript" }),
no_benign_control_rationale: None,
},
CuratedPayload {
bytes: b"benign_safe_cmdi_NYX_BENIGN",
label: "cmdi-benign-typescript",
oracle: Oracle::OutputContains("NYX_PWN_CMDI"),
is_benign: true,
provenance: PayloadProvenance::Curated,
since_corpus_version: 15,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/benchmark/corpus/typescript/cmdi/cmdi_async_wrapper.ts",
"tests/benchmark/corpus/typescript/cmdi/cmdi_exec_template.ts",
],
oob_nonce_slot: false,
probe_predicates: &[],
benign_control: None,
no_benign_control_rationale: None,
},
];

9
src/dynamic/corpus/registry.rs
View file

@ -79,6 +79,15 @@ pub fn sound_oracle_unavailable_hint(cap: Cap) -> &'static str {
const ENTRIES: &[(Cap, Lang, &[CuratedPayload])] = &[
(Cap::SQL_QUERY, Lang::Rust, sqli::rust::PAYLOADS),
(Cap::CODE_EXEC, Lang::Rust, cmdi::rust::PAYLOADS),
(Cap::CODE_EXEC, Lang::C, cmdi::c::PAYLOADS),
(Cap::CODE_EXEC, Lang::Cpp, cmdi::cpp::PAYLOADS),
(Cap::CODE_EXEC, Lang::Go, cmdi::go::PAYLOADS),
(Cap::CODE_EXEC, Lang::Java, cmdi::java::PAYLOADS),
(Cap::CODE_EXEC, Lang::JavaScript, cmdi::javascript::PAYLOADS),
(Cap::CODE_EXEC, Lang::Php, cmdi::php::PAYLOADS),
(Cap::CODE_EXEC, Lang::Python, cmdi::python::PAYLOADS),
(Cap::CODE_EXEC, Lang::Ruby, cmdi::ruby::PAYLOADS),
(Cap::CODE_EXEC, Lang::TypeScript, cmdi::typescript::PAYLOADS),
(Cap::FILE_IO, Lang::Rust, path_trav::rust::PAYLOADS),
(Cap::SSRF, Lang::Rust, ssrf::rust::PAYLOADS),
(Cap::HTML_ESCAPE, Lang::Rust, xss::rust::PAYLOADS),

11
tests/dynamic_verify_e2e.rs
View file

@ -174,9 +174,14 @@ mod verify_e2e {
/// every successfully-derived spec records a `framework_adapter_none`
/// event whose `detail` carries `lang=<Lang> entry=<entry_name>`.
///
/// We drive `verify_finding` through the `NoPayloadsForCap` short-circuit
/// (CRYPTO has no curated payload corpus) so the trace is recorded
/// without needing a working toolchain or sandbox backend.
/// We drive `verify_finding` with a `Cap::CRYPTO` diagnostic so the
/// trace records the `framework_adapter_none` event during spec
/// derivation. The assertion holds regardless of how `run_spec`
/// resolves downstream (Phase 11 / Track J.9 added a `CRYPTO` payload
/// corpus, so the verifier no longer short-circuits via
/// `NoPayloadsForCap`; it now reaches `BuildFailed` while no
/// real-engine `Cap::CRYPTO` harness emitter exists, but the
/// adapter-none event fires before either branch returns).
#[test]
fn verify_finding_emits_framework_adapter_none_for_empty_registry() {
use nyx_scanner::dynamic::trace::{TraceStage, VerifyTrace};