apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

style(all): reformat long lines across files for improved code readability and alignment of nested structures

Browse source
This commit is contained in:
elipeter 2026-06-01 19:54:28 -05:00
parent e64fb25dae
commit 9914d26bdf
20 changed files with 229 additions and 182 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/dynamic/build_pool/java.rs
View file

@ -102,10 +102,10 @@ impl JavacPool {
// If a prior call torched the worker, try one re-spawn here so
// the caller doesn't see consecutive failures from a transient
// JVM crash.
if guard.is_none() {
if let Ok(w) = spawn_worker(&self.bootstrap_dir) {
*guard = Some(w);
}
if guard.is_none()
&& let Ok(w) = spawn_worker(&self.bootstrap_dir)
{
*guard = Some(w);
}
let worker = match guard.as_mut() {
Some(w) => w,
@ -419,8 +419,7 @@ fn decode_b64(s: &str) -> Option<String> {
}
let bytes: Vec<u8> = s.bytes().filter(|b| !b.is_ascii_whitespace()).collect();
let mut out = Vec::with_capacity(bytes.len() / 4 * 3);
let mut iter = bytes.chunks(4);
while let Some(chunk) = iter.next() {
for chunk in bytes.chunks(4) {
if chunk.len() < 2 {
return None;
}

16
src/dynamic/build_pool/ruby.rs
View file

@ -53,14 +53,14 @@ impl BuildPool for RubyPool {
let start = Instant::now();
// `bundle check` short-circuits when the host already has every gem.
if let Ok(o) = self.bundle(workdir).arg("check").output() {
if o.status.success() {
return PoolCompileResult {
success: true,
stderr: String::new(),
duration: start.elapsed(),
};
}
if let Ok(o) = self.bundle(workdir).arg("check").output()
&& o.status.success()
{
return PoolCompileResult {
success: true,
stderr: String::new(),
duration: start.elapsed(),
};
}
// The install target is pinned to a writable vendor dir via

170
src/dynamic/build_sandbox.rs
View file

@ -100,16 +100,16 @@ pub fn prepare_rust(spec: &HarnessSpec, workdir: &Path) -> Result<BuildResult, B
/// healthy pool is surfaced verbatim (no legacy re-run — it would fail the
/// same way).
fn build_rust_binary(workdir: &Path, binary_dest: &Path) -> Result<(), String> {
if is_pool_enabled("rust") {
if let Ok(pool) = RustPool::try_new() {
let pool_args = [binary_dest.to_string_lossy().into_owned()];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("rust")
&& let Ok(pool) = RustPool::try_new()
{
let pool_args = [binary_dest.to_string_lossy().into_owned()];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_build_rust_binary(workdir, binary_dest)
@ -496,15 +496,15 @@ pub fn prepare_ruby(spec: &HarnessSpec, workdir: &Path) -> Result<BuildResult, B
/// Route Bundler through [`RubyPool`] (shared Bootsnap cache) when enabled,
/// else the legacy `bundle check`/`install` path.
fn bundle_install(workdir: &Path) -> Result<(), String> {
if is_pool_enabled("ruby") {
if let Ok(pool) = RubyPool::try_new() {
let res = pool.compile_batch(workdir, &[]);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("ruby")
&& let Ok(pool) = RubyPool::try_new()
{
let res = pool.compile_batch(workdir, &[]);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_bundle_install(workdir)
@ -672,15 +672,15 @@ pub fn prepare_node(spec: &HarnessSpec, workdir: &Path) -> Result<BuildResult, B
/// Route `npm install` through [`NodePool`] (shared npm download cache) when
/// enabled, else the legacy direct-spawn path.
fn npm_install(workdir: &Path) -> Result<(), String> {
if is_pool_enabled("node") {
if let Ok(pool) = NodePool::try_new() {
let res = pool.compile_batch(workdir, &[]);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("node")
&& let Ok(pool) = NodePool::try_new()
{
let res = pool.compile_batch(workdir, &[]);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_npm_install(workdir)
@ -804,16 +804,16 @@ pub fn prepare_go(spec: &HarnessSpec, workdir: &Path) -> Result<BuildResult, Bui
/// `GOMODCACHE`, `-trimpath -buildvcs=false`) when enabled, else the legacy
/// per-workdir-cache path.
fn build_go_binary(workdir: &Path, binary_dest: &Path) -> Result<(), String> {
if is_pool_enabled("go") {
if let Ok(pool) = GoPool::try_new() {
let pool_args = [binary_dest.to_string_lossy().into_owned()];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("go")
&& let Ok(pool) = GoPool::try_new()
{
let pool_args = [binary_dest.to_string_lossy().into_owned()];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_build_go_binary(workdir, binary_dest)
@ -1115,22 +1115,22 @@ fn try_compile_java_with_toolchain(
// the direct-spawn legacy path so an operator with a broken JDK
// install still gets a deterministic build error from `javac`
// itself rather than from the pool wrapper.
if is_pool_enabled("java") {
if let Some(pool) = javac_pool_for(toolchain_id) {
let result = pool.compile_batch(workdir, &args);
if result.success {
return finalize_java_compile(workdir, cache_path, lib_on_cp);
}
if pool.is_healthy() {
// The compile itself failed (real source error) -- surface
// the worker's stderr verbatim.
return Err(result.stderr);
}
// Worker crashed: drop the cached pool so the next call
// re-spawns it, then fall through to the legacy direct-spawn
// path so this build still has a chance to succeed.
drop_javac_pool(toolchain_id);
if is_pool_enabled("java")
&& let Some(pool) = javac_pool_for(toolchain_id)
{
let result = pool.compile_batch(workdir, &args);
if result.success {
return finalize_java_compile(workdir, cache_path, lib_on_cp);
}
if pool.is_healthy() {
// The compile itself failed (real source error) -- surface
// the worker's stderr verbatim.
return Err(result.stderr);
}
// Worker crashed: drop the cached pool so the next call
// re-spawns it, then fall through to the legacy direct-spawn
// path so this build still has a chance to succeed.
drop_javac_pool(toolchain_id);
}
let javac = std::env::var("NYX_JAVAC_BIN").unwrap_or_else(|_| "javac".to_owned());
@ -1372,15 +1372,15 @@ pub fn prepare_php(spec: &HarnessSpec, workdir: &Path) -> Result<BuildResult, Bu
/// Route Composer through [`PhpPool`] (shared download cache + opcache
/// file-cache warm) when enabled, else the legacy direct-spawn path.
fn composer_install(workdir: &Path) -> Result<(), String> {
if is_pool_enabled("php") {
if let Ok(pool) = PhpPool::try_new() {
let res = pool.compile_batch(workdir, &[]);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("php")
&& let Ok(pool) = PhpPool::try_new()
{
let res = pool.compile_batch(workdir, &[]);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_composer_install(workdir)
@ -1486,19 +1486,19 @@ pub fn prepare_c(
/// static-link toggle is forwarded so the pool can reproduce the
/// Strict-profile `-static` fallback.
fn build_c_binary(workdir: &Path, binary_dest: &Path, static_link: bool) -> Result<(), String> {
if is_pool_enabled("c") {
if let Ok(pool) = CPool::try_new() {
let pool_args = [
binary_dest.to_string_lossy().into_owned(),
if static_link { "static" } else { "dynamic" }.to_owned(),
];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("c")
&& let Ok(pool) = CPool::try_new()
{
let pool_args = [
binary_dest.to_string_lossy().into_owned(),
if static_link { "static" } else { "dynamic" }.to_owned(),
];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_build_c_binary(workdir, binary_dest, static_link)
@ -1654,16 +1654,16 @@ pub fn prepare_cpp(spec: &HarnessSpec, workdir: &Path) -> Result<BuildResult, Bu
/// Route the C++ harness build through [`CppPool`] (`ccache` + shared object
/// cache) when enabled, else the legacy direct-spawn `c++` path.
fn build_cpp_binary(workdir: &Path, binary_dest: &Path) -> Result<(), String> {
if is_pool_enabled("cpp") {
if let Ok(pool) = CppPool::try_new() {
let pool_args = [binary_dest.to_string_lossy().into_owned()];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
if is_pool_enabled("cpp")
&& let Ok(pool) = CppPool::try_new()
{
let pool_args = [binary_dest.to_string_lossy().into_owned()];
let res = pool.compile_batch(workdir, &pool_args);
if res.success {
return Ok(());
}
if pool.is_healthy() {
return Err(res.stderr);
}
}
try_build_cpp_binary(workdir, binary_dest)

8
src/dynamic/corpus/path_trav/java.rs
View file

@ -27,10 +27,10 @@ use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
/// `../nyx_pt_canary` traversal resolves.
pub const CANARY_FILENAME: &str = "nyx_pt_canary";
/// Canary file CONTENT — the collision-resistant FILE_IO marker. Alphanumeric
/// + underscore so a faithful HTML/URL escaper leaves it intact when the
/// fixture writes the read bytes to the response. NOT a substring of any
/// payload path.
/// Canary file content for the collision-resistant FILE_IO marker. It uses
/// alphanumeric characters plus underscore, so a faithful HTML/URL escaper
/// leaves it intact when the fixture writes the read bytes to the response.
/// NOT a substring of any payload path.
pub const CANARY_MARKER: &str = "NYX_PATHTRAVERSAL_R34D_a7f3c1d8";
pub const PAYLOADS: &[CuratedPayload] = &[

2
src/dynamic/oracle.rs
View file

@ -2021,7 +2021,7 @@ mod tests {
.all(|b| b.is_ascii_hexdigit() && !b.is_ascii_uppercase()),
"render must be lowercase hex: {r}",
);
assert!(Canary::ENTROPY_BITS >= 128);
const { assert!(Canary::ENTROPY_BITS >= 128) };
assert!(
r.len() * 4 >= 128,
"rendered canary clears the 128-bit floor"

13
src/dynamic/sandbox/process_linux.rs
View file

@ -287,7 +287,7 @@ unsafe extern "C" {
target: *const i8,
fstype: *const i8,
flags: u64,
data: *const i8,
data: *const core::ffi::c_void,
) -> i32;
fn write(fd: i32, buf: *const u8, count: usize) -> isize;
fn __errno_location() -> *mut i32;
@ -319,10 +319,6 @@ fn apply_no_new_privs() -> PrimitiveStatus {
}
}
fn apply_unshare() -> PrimitiveStatus {
apply_unshare_with_flags(CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS)
}
fn apply_unshare_with_flags(flags: i32) -> PrimitiveStatus {
// CLONE_NEWUSER must come first on most modern kernels so the
// unprivileged caller can map uid/gid; CLONE_NEWPID + CLONE_NEWNS
@ -388,9 +384,10 @@ struct BindMount {
/// the [`HardeningOutcome`] wire record, so callers that care about the
/// bind-mount succeeding gate on whether the harness produced output.
///
/// Called in pre_exec between [`apply_unshare`] and [`apply_chroot`] so
/// the new mount namespace is private to the child + grandchildren and
/// the workdir is still reachable at its host-side absolute path.
/// Called in pre_exec after [`apply_unshare_with_flags`] and before
/// [`apply_chroot`] so the new mount namespace is private to the child +
/// grandchildren and the workdir is still reachable at its host-side absolute
/// path.
fn apply_bind_mounts(mounts: &[BindMount]) {
let none = b"none\0";
for m in mounts {