[pitboss/grind] deferred session-0015 (20260522T163126Z-7d60)

tests/dynamic_fixtures/go/cmdi_positive.go

@@ -12,7 +12,7 @@ import (
 
 func RunPing(host string) {
 	fmt.Print("__NYX_SINK_HIT__\n")
-	cmd := exec.Command("sh", "-c", "echo hello "+host)
+	cmd := exec.Command("/bin/sh", "-c", "/bin/echo hello "+host)
 	out, _ := cmd.CombinedOutput()
 	fmt.Print(string(out))
 }

tests/dynamic_fixtures/php/cmdi_negative.php

@@ -1,14 +1,22 @@
 <?php
 // Command injection — negative fixture.
-// Safe: uses escapeshellarg() to prevent shell injection.
+// Safe: uses escapeshellarg() and discards the captured output.
 // Entry: runPing($host)  Cap: CODE_EXEC
 // Expected verdict: NotConfirmed
+//
+// Pairs with cmdi_positive.php for differential confirmation. The
+// captured output is intentionally discarded so a literal payload such
+// as "; echo NYX_PWN_CMDI" (which escapeshellarg already neutralises
+// against the shell parser) cannot leak through stdout and trip the
+// OutputContains oracle.
 
 function runPing($host) {
+    // Sink-reachability probe: we did reach the shell_exec call site.
+    echo "__NYX_SINK_HIT__\n";
     // escapeshellarg wraps in single quotes and escapes internal quotes.
     $safe = escapeshellarg($host);
+    // Capture but discard: command runs under the sanitiser, output is
+    // not surfaced to the oracle.
     $output = shell_exec('echo hello ' . $safe);
-    if ($output !== null) {
-        echo $output;
-    }
+    unset($output);
 }

tests/dynamic_fixtures/php/fileio_adversarial.php

@@ -3,9 +3,9 @@
 // Prints "root:" unconditionally without reading any file
 // and without emitting __NYX_SINK_HIT__.
 // Expected verdict: Inconclusive(OracleCollisionSuspected)
-// Entry: readFile($userPath)  Cap: FILE_IO
+// Entry: runReadFile($userPath)  Cap: FILE_IO
 
-function readFile($userPath) {
+function runReadFile($userPath) {
     // Coincidental oracle match — not a file read sink.
     echo "root: present\n";
     $x = strlen($userPath);

tests/dynamic_fixtures/php/fileio_negative.php

@@ -1,10 +1,10 @@
 <?php
 // File I/O — negative fixture.
 // Safe: realpath + prefix validation prevents directory traversal.
-// Entry: readFile($userPath)  Cap: FILE_IO
+// Entry: runReadFile($userPath)  Cap: FILE_IO
 // Expected verdict: NotConfirmed
 
-function readFile($userPath) {
+function runReadFile($userPath) {
     $baseDir = '/var/data';
     $filePath = realpath($baseDir . '/' . $userPath);
     if ($filePath === false || strpos($filePath, $baseDir . DIRECTORY_SEPARATOR) !== 0) {

tests/dynamic_fixtures/php/fileio_positive.php

@@ -1,10 +1,10 @@
 <?php
 // File I/O — positive fixture.
 // Vulnerable: reads file at user-controlled path without sanitization.
-// Entry: readFile($userPath)  Cap: FILE_IO
+// Entry: runReadFile($userPath)  Cap: FILE_IO
 // Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
 
-function readFile($userPath) {
+function runReadFile($userPath) {
     $filePath = '/var/data/' . $userPath;
     echo "__NYX_SINK_HIT__\n";
     $content = @file_get_contents($filePath);

tests/php_fixtures.rs

@@ -214,7 +214,7 @@ mod php_fixture_tests {
 
     #[test]
     fn php_fileio_positive_is_confirmed() {
-        let result = run_fixture("fileio_positive.php", "readFile", Cap::FILE_IO, 9);
+        let result = run_fixture("fileio_positive.php", "runReadFile", Cap::FILE_IO, 9);
         if result.status == VerifyStatus::Unsupported
             && result.reason == Some(UnsupportedReason::BackendUnavailable)
         {
@@ -231,7 +231,7 @@ mod php_fixture_tests {
 
     #[test]
     fn php_fileio_negative_is_not_confirmed() {
-        let result = run_fixture("fileio_negative.php", "readFile", Cap::FILE_IO, 14);
+        let result = run_fixture("fileio_negative.php", "runReadFile", Cap::FILE_IO, 14);
         if result.status == VerifyStatus::Unsupported
             && result.reason == Some(UnsupportedReason::BackendUnavailable)
         {
@@ -247,7 +247,7 @@ mod php_fixture_tests {
 
     #[test]
     fn php_fileio_adversarial_is_oracle_collision() {
-        let result = run_fixture("fileio_adversarial.php", "readFile", Cap::FILE_IO, 999);
+        let result = run_fixture("fileio_adversarial.php", "runReadFile", Cap::FILE_IO, 999);
         if result.status == VerifyStatus::Unsupported
             && result.reason == Some(UnsupportedReason::BackendUnavailable)
         {