[pitboss] phase 16: Track L.14 — Laravel / Symfony / CodeIgniter adapters

tests/dynamic_fixtures/php_frameworks/codeigniter/benign.php

@@ -0,0 +1,18 @@
+<?php
+// Phase 16 — CodeIgniter-style route, benign sanitised payload.
+
+use CodeIgniter\Router\RouteCollection;
+
+$routes->get('run', 'UserController::run');
+
+class UserController extends BaseController
+{
+    public function run($payload)
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . escapeshellarg($payload);
+        $out = shell_exec($cmd);
+        echo $out;
+        return $out;
+    }
+}

tests/dynamic_fixtures/php_frameworks/codeigniter/composer.json

@@ -0,0 +1,7 @@
+{
+  "name": "nyx/fixture-codeigniter",
+  "require": {
+    "php": ">=8.1",
+    "codeigniter4/framework": "^4.4"
+  }
+}

tests/dynamic_fixtures/php_frameworks/codeigniter/vuln.php

@@ -0,0 +1,20 @@
+<?php
+// Phase 16 — CodeIgniter-style route, vulnerable.
+// `$routes->get('run', 'UserController::run')` references the
+// controller method whose body shells out without sanitisation.
+
+use CodeIgniter\Router\RouteCollection;
+
+$routes->get('run', 'UserController::run');
+
+class UserController extends BaseController
+{
+    public function run($payload)
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . $payload;
+        $out = shell_exec($cmd);
+        echo $out;
+        return $out;
+    }
+}

tests/dynamic_fixtures/php_frameworks/laravel/benign.php

@@ -0,0 +1,18 @@
+<?php
+// Phase 16 — Laravel-style route, benign sanitised payload.
+
+use Illuminate\Support\Facades\Route;
+
+Route::get('/run', 'UserController@run');
+
+class UserController
+{
+    public function run($payload)
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . escapeshellarg($payload);
+        $out = shell_exec($cmd);
+        echo $out;
+        return $out;
+    }
+}

tests/dynamic_fixtures/php_frameworks/laravel/composer.json

@@ -0,0 +1,7 @@
+{
+  "name": "nyx/fixture-laravel",
+  "require": {
+    "php": ">=8.1",
+    "laravel/framework": "^11.0"
+  }
+}

tests/dynamic_fixtures/php_frameworks/laravel/vuln.php

@@ -0,0 +1,20 @@
+<?php
+// Phase 16 — Laravel-style route, vulnerable.
+// `Route::get('/run', 'UserController@run')` references the
+// controller method whose body shells out without sanitisation.
+
+use Illuminate\Support\Facades\Route;
+
+Route::get('/run', 'UserController@run');
+
+class UserController
+{
+    public function run($payload)
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . $payload;
+        $out = shell_exec($cmd);
+        echo $out;
+        return $out;
+    }
+}

tests/dynamic_fixtures/php_frameworks/symfony/benign.php

@@ -0,0 +1,21 @@
+<?php
+// Phase 16 — Symfony-style route via `#[Route]` attribute,
+// benign sanitised payload.
+
+namespace App\Controller;
+
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Annotation\Route;
+
+class UserController
+{
+    #[Route('/run', methods: ['GET'])]
+    public function run($payload)
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . escapeshellarg($payload);
+        $out = shell_exec($cmd);
+        echo $out;
+        return new Response($out);
+    }
+}

tests/dynamic_fixtures/php_frameworks/symfony/composer.json

@@ -0,0 +1,9 @@
+{
+  "name": "nyx/fixture-symfony",
+  "require": {
+    "php": ">=8.1",
+    "symfony/framework-bundle": "^7.0",
+    "symfony/routing": "^7.0",
+    "symfony/http-kernel": "^7.0"
+  }
+}

tests/dynamic_fixtures/php_frameworks/symfony/vuln.php

@@ -0,0 +1,21 @@
+<?php
+// Phase 16 — Symfony-style route via `#[Route]` attribute,
+// vulnerable.
+
+namespace App\Controller;
+
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Annotation\Route;
+
+class UserController
+{
+    #[Route('/run', methods: ['GET'])]
+    public function run($payload)
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . $payload;
+        $out = shell_exec($cmd);
+        echo $out;
+        return new Response($out);
+    }
+}