[pitboss/grind] deferred session-0015 (20260522T163126Z-7d60)

tests/dynamic_fixtures/php/cmdi_negative.php

@@ -1,14 +1,22 @@
 <?php
 // Command injection — negative fixture.
-// Safe: uses escapeshellarg() to prevent shell injection.
+// Safe: uses escapeshellarg() and discards the captured output.
 // Entry: runPing($host)  Cap: CODE_EXEC
 // Expected verdict: NotConfirmed
+//
+// Pairs with cmdi_positive.php for differential confirmation. The
+// captured output is intentionally discarded so a literal payload such
+// as "; echo NYX_PWN_CMDI" (which escapeshellarg already neutralises
+// against the shell parser) cannot leak through stdout and trip the
+// OutputContains oracle.
 
 function runPing($host) {
+    // Sink-reachability probe: we did reach the shell_exec call site.
+    echo "__NYX_SINK_HIT__\n";
     // escapeshellarg wraps in single quotes and escapes internal quotes.
     $safe = escapeshellarg($host);
+    // Capture but discard: command runs under the sanitiser, output is
+    // not surfaced to the oracle.
     $output = shell_exec('echo hello ' . $safe);
-    if ($output !== null) {
-        echo $output;
-    }
+    unset($output);
 }

tests/dynamic_fixtures/php/fileio_adversarial.php

@@ -3,9 +3,9 @@
 // Prints "root:" unconditionally without reading any file
 // and without emitting __NYX_SINK_HIT__.
 // Expected verdict: Inconclusive(OracleCollisionSuspected)
-// Entry: readFile($userPath)  Cap: FILE_IO
+// Entry: runReadFile($userPath)  Cap: FILE_IO
 
-function readFile($userPath) {
+function runReadFile($userPath) {
     // Coincidental oracle match — not a file read sink.
     echo "root: present\n";
     $x = strlen($userPath);

tests/dynamic_fixtures/php/fileio_negative.php

@@ -1,10 +1,10 @@
 <?php
 // File I/O — negative fixture.
 // Safe: realpath + prefix validation prevents directory traversal.
-// Entry: readFile($userPath)  Cap: FILE_IO
+// Entry: runReadFile($userPath)  Cap: FILE_IO
 // Expected verdict: NotConfirmed
 
-function readFile($userPath) {
+function runReadFile($userPath) {
     $baseDir = '/var/data';
     $filePath = realpath($baseDir . '/' . $userPath);
     if ($filePath === false || strpos($filePath, $baseDir . DIRECTORY_SEPARATOR) !== 0) {

tests/dynamic_fixtures/php/fileio_positive.php

@@ -1,10 +1,10 @@
 <?php
 // File I/O — positive fixture.
 // Vulnerable: reads file at user-controlled path without sanitization.
-// Entry: readFile($userPath)  Cap: FILE_IO
+// Entry: runReadFile($userPath)  Cap: FILE_IO
 // Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
 
-function readFile($userPath) {
+function runReadFile($userPath) {
     $filePath = '/var/data/' . $userPath;
     echo "__NYX_SINK_HIT__\n";
     $content = @file_get_contents($filePath);