From 7509cfe6fd34391e4f066be3b6e05a1d6b08561e Mon Sep 17 00:00:00 2001 From: pitboss Date: Mon, 18 May 2026 10:17:32 -0500 Subject: [PATCH] [pitboss] sweep after phase 11: 2 deferred items resolved --- src/dynamic/corpus/cmdi/c.rs | 44 +++++++++++++++++++++++ src/dynamic/corpus/cmdi/cpp.rs | 50 +++++++++++++++++++++++++++ src/dynamic/corpus/cmdi/go.rs | 44 +++++++++++++++++++++++ src/dynamic/corpus/cmdi/java.rs | 40 +++++++++++++++++++++ src/dynamic/corpus/cmdi/javascript.rs | 40 +++++++++++++++++++++ src/dynamic/corpus/cmdi/mod.rs | 9 +++++ src/dynamic/corpus/cmdi/php.rs | 40 +++++++++++++++++++++ src/dynamic/corpus/cmdi/python.rs | 46 ++++++++++++++++++++++++ src/dynamic/corpus/cmdi/ruby.rs | 42 ++++++++++++++++++++++ src/dynamic/corpus/cmdi/typescript.rs | 40 +++++++++++++++++++++ src/dynamic/corpus/registry.rs | 9 +++++ tests/dynamic_verify_e2e.rs | 11 ++++-- 12 files changed, 412 insertions(+), 3 deletions(-) create mode 100644 src/dynamic/corpus/cmdi/c.rs create mode 100644 src/dynamic/corpus/cmdi/cpp.rs create mode 100644 src/dynamic/corpus/cmdi/go.rs create mode 100644 src/dynamic/corpus/cmdi/java.rs create mode 100644 src/dynamic/corpus/cmdi/javascript.rs create mode 100644 src/dynamic/corpus/cmdi/php.rs create mode 100644 src/dynamic/corpus/cmdi/python.rs create mode 100644 src/dynamic/corpus/cmdi/ruby.rs create mode 100644 src/dynamic/corpus/cmdi/typescript.rs diff --git a/src/dynamic/corpus/cmdi/c.rs b/src/dynamic/corpus/cmdi/c.rs new file mode 100644 index 00000000..aadeccd5 --- /dev/null +++ b/src/dynamic/corpus/cmdi/c.rs @@ -0,0 +1,44 @@ +//! C `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-c", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/c/cmdi/cmdi_exec.c", + "tests/benchmark/corpus/c/cmdi/cmdi_fgets.c", + "tests/benchmark/corpus/c/cmdi/cmdi_popen.c", + "tests/benchmark/corpus/c/cmdi/cmdi_system.c", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-c" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-c", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/c/cmdi/cmdi_exec.c", + "tests/benchmark/corpus/c/cmdi/cmdi_fgets.c", + "tests/benchmark/corpus/c/cmdi/cmdi_popen.c", + "tests/benchmark/corpus/c/cmdi/cmdi_system.c", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/cpp.rs b/src/dynamic/corpus/cmdi/cpp.rs new file mode 100644 index 00000000..462be343 --- /dev/null +++ b/src/dynamic/corpus/cmdi/cpp.rs @@ -0,0 +1,50 @@ +//! C++ `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-cpp", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/cpp/cmdi/cmdi_class_inline_method.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_exec.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_getline.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_lambda_passthrough.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_popen.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_stl_vector_string.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_system.cpp", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-cpp" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-cpp", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/cpp/cmdi/cmdi_class_inline_method.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_exec.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_getline.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_lambda_passthrough.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_popen.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_stl_vector_string.cpp", + "tests/benchmark/corpus/cpp/cmdi/cmdi_system.cpp", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/go.rs b/src/dynamic/corpus/cmdi/go.rs new file mode 100644 index 00000000..d2ea660a --- /dev/null +++ b/src/dynamic/corpus/cmdi/go.rs @@ -0,0 +1,44 @@ +//! Go `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-go", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/go/cmdi/cmdi_direct.go", + "tests/benchmark/corpus/go/cmdi/cmdi_indirect.go", + "tests/benchmark/corpus/go/cmdi/cmdi_unvalidated_queue_element.go", + "tests/benchmark/corpus/go/cmdi/vuln_error_log_then_sink.go", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-go" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-go", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/go/cmdi/cmdi_direct.go", + "tests/benchmark/corpus/go/cmdi/cmdi_indirect.go", + "tests/benchmark/corpus/go/cmdi/cmdi_unvalidated_queue_element.go", + "tests/benchmark/corpus/go/cmdi/vuln_error_log_then_sink.go", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/java.rs b/src/dynamic/corpus/cmdi/java.rs new file mode 100644 index 00000000..e6991e62 --- /dev/null +++ b/src/dynamic/corpus/cmdi/java.rs @@ -0,0 +1,40 @@ +//! Java `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-java", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/java/cmdi/CmdiDirect.java", + "tests/benchmark/corpus/java/cmdi/CmdiIndirect.java", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-java" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-java", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/java/cmdi/CmdiDirect.java", + "tests/benchmark/corpus/java/cmdi/CmdiIndirect.java", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/javascript.rs b/src/dynamic/corpus/cmdi/javascript.rs new file mode 100644 index 00000000..c7d20b0a --- /dev/null +++ b/src/dynamic/corpus/cmdi/javascript.rs @@ -0,0 +1,40 @@ +//! JavaScript `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-javascript", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/javascript/cmdi/cmdi_direct.js", + "tests/benchmark/corpus/javascript/cmdi/cmdi_indirect.js", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-javascript" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-javascript", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/javascript/cmdi/cmdi_direct.js", + "tests/benchmark/corpus/javascript/cmdi/cmdi_indirect.js", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/mod.rs b/src/dynamic/corpus/cmdi/mod.rs index 8f404d95..04e452e0 100644 --- a/src/dynamic/corpus/cmdi/mod.rs +++ b/src/dynamic/corpus/cmdi/mod.rs @@ -1,3 +1,12 @@ //! Command-injection (`Cap::CODE_EXEC`) per-language payload slices. +pub mod c; +pub mod cpp; +pub mod go; +pub mod java; +pub mod javascript; +pub mod php; +pub mod python; +pub mod ruby; pub mod rust; +pub mod typescript; diff --git a/src/dynamic/corpus/cmdi/php.rs b/src/dynamic/corpus/cmdi/php.rs new file mode 100644 index 00000000..071150f6 --- /dev/null +++ b/src/dynamic/corpus/cmdi/php.rs @@ -0,0 +1,40 @@ +//! PHP `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-php", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/php/cmdi/cmdi_direct.php", + "tests/benchmark/corpus/php/cmdi/cmdi_indirect.php", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-php" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-php", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/php/cmdi/cmdi_direct.php", + "tests/benchmark/corpus/php/cmdi/cmdi_indirect.php", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/python.rs b/src/dynamic/corpus/cmdi/python.rs new file mode 100644 index 00000000..bdb99ffe --- /dev/null +++ b/src/dynamic/corpus/cmdi/python.rs @@ -0,0 +1,46 @@ +//! Python `Cap::CODE_EXEC` payloads. +//! +//! Same shell-syntax bytes as [`super::rust::PAYLOADS`]; the per-language +//! slice exists so the lookup is a per-language assertion rather than a +//! cross-language fallback through [`super::super::registry::payloads_for`]. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-python", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/python/cmdi/cmdi_direct.py", + "tests/benchmark/corpus/python/cmdi/cmdi_indirect.py", + "tests/benchmark/corpus/python/cmdi/cmdi_popen_shell.py", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-python" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-python", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/python/cmdi/cmdi_direct.py", + "tests/benchmark/corpus/python/cmdi/cmdi_indirect.py", + "tests/benchmark/corpus/python/cmdi/cmdi_popen_shell.py", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/ruby.rs b/src/dynamic/corpus/cmdi/ruby.rs new file mode 100644 index 00000000..bf1440c5 --- /dev/null +++ b/src/dynamic/corpus/cmdi/ruby.rs @@ -0,0 +1,42 @@ +//! Ruby `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-ruby", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/ruby/cmdi/cmdi_backtick.rb", + "tests/benchmark/corpus/ruby/cmdi/cmdi_kernel_open.rb", + "tests/benchmark/corpus/ruby/cmdi/cmdi_system.rb", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-ruby" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-ruby", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/ruby/cmdi/cmdi_backtick.rb", + "tests/benchmark/corpus/ruby/cmdi/cmdi_kernel_open.rb", + "tests/benchmark/corpus/ruby/cmdi/cmdi_system.rb", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/cmdi/typescript.rs b/src/dynamic/corpus/cmdi/typescript.rs new file mode 100644 index 00000000..3245614d --- /dev/null +++ b/src/dynamic/corpus/cmdi/typescript.rs @@ -0,0 +1,40 @@ +//! TypeScript `Cap::CODE_EXEC` payloads. + +use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef}; + +pub const PAYLOADS: &[CuratedPayload] = &[ + CuratedPayload { + bytes: b"; echo NYX_PWN_CMDI", + label: "cmdi-echo-marker-typescript", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: false, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/typescript/cmdi/cmdi_async_wrapper.ts", + "tests/benchmark/corpus/typescript/cmdi/cmdi_exec_template.ts", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: Some(PayloadRef { label: "cmdi-benign-typescript" }), + no_benign_control_rationale: None, + }, + CuratedPayload { + bytes: b"benign_safe_cmdi_NYX_BENIGN", + label: "cmdi-benign-typescript", + oracle: Oracle::OutputContains("NYX_PWN_CMDI"), + is_benign: true, + provenance: PayloadProvenance::Curated, + since_corpus_version: 15, + deprecated_at_corpus_version: None, + fixture_paths: &[ + "tests/benchmark/corpus/typescript/cmdi/cmdi_async_wrapper.ts", + "tests/benchmark/corpus/typescript/cmdi/cmdi_exec_template.ts", + ], + oob_nonce_slot: false, + probe_predicates: &[], + benign_control: None, + no_benign_control_rationale: None, + }, +]; diff --git a/src/dynamic/corpus/registry.rs b/src/dynamic/corpus/registry.rs index 29189c96..5e59f9be 100644 --- a/src/dynamic/corpus/registry.rs +++ b/src/dynamic/corpus/registry.rs @@ -79,6 +79,15 @@ pub fn sound_oracle_unavailable_hint(cap: Cap) -> &'static str { const ENTRIES: &[(Cap, Lang, &[CuratedPayload])] = &[ (Cap::SQL_QUERY, Lang::Rust, sqli::rust::PAYLOADS), (Cap::CODE_EXEC, Lang::Rust, cmdi::rust::PAYLOADS), + (Cap::CODE_EXEC, Lang::C, cmdi::c::PAYLOADS), + (Cap::CODE_EXEC, Lang::Cpp, cmdi::cpp::PAYLOADS), + (Cap::CODE_EXEC, Lang::Go, cmdi::go::PAYLOADS), + (Cap::CODE_EXEC, Lang::Java, cmdi::java::PAYLOADS), + (Cap::CODE_EXEC, Lang::JavaScript, cmdi::javascript::PAYLOADS), + (Cap::CODE_EXEC, Lang::Php, cmdi::php::PAYLOADS), + (Cap::CODE_EXEC, Lang::Python, cmdi::python::PAYLOADS), + (Cap::CODE_EXEC, Lang::Ruby, cmdi::ruby::PAYLOADS), + (Cap::CODE_EXEC, Lang::TypeScript, cmdi::typescript::PAYLOADS), (Cap::FILE_IO, Lang::Rust, path_trav::rust::PAYLOADS), (Cap::SSRF, Lang::Rust, ssrf::rust::PAYLOADS), (Cap::HTML_ESCAPE, Lang::Rust, xss::rust::PAYLOADS), diff --git a/tests/dynamic_verify_e2e.rs b/tests/dynamic_verify_e2e.rs index 19e8a09d..5d3c72b8 100644 --- a/tests/dynamic_verify_e2e.rs +++ b/tests/dynamic_verify_e2e.rs @@ -174,9 +174,14 @@ mod verify_e2e { /// every successfully-derived spec records a `framework_adapter_none` /// event whose `detail` carries `lang= entry=`. /// - /// We drive `verify_finding` through the `NoPayloadsForCap` short-circuit - /// (CRYPTO has no curated payload corpus) so the trace is recorded - /// without needing a working toolchain or sandbox backend. + /// We drive `verify_finding` with a `Cap::CRYPTO` diagnostic so the + /// trace records the `framework_adapter_none` event during spec + /// derivation. The assertion holds regardless of how `run_spec` + /// resolves downstream (Phase 11 / Track J.9 added a `CRYPTO` payload + /// corpus, so the verifier no longer short-circuits via + /// `NoPayloadsForCap`; it now reaches `BuildFailed` while no + /// real-engine `Cap::CRYPTO` harness emitter exists, but the + /// adapter-none event fires before either branch returns). #[test] fn verify_finding_emits_framework_adapter_none_for_empty_registry() { use nyx_scanner::dynamic::trace::{TraceStage, VerifyTrace};