Dynamic (#77)

tests/dynamic_fixtures/class_method/c/benign.c

@@ -0,0 +1,16 @@
+/* Phase 19 (Track M.1) — class-method benign control for C. */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+void UserService_run(const char *input, size_t len) {
+    (void)len;
+    /* Uses execve via fork; the shell never sees or echoes `input`. */
+    pid_t pid = fork();
+    if (pid == 0) {
+        char *argv[] = { (char*)"/usr/bin/true", (char*)(input ? input : ""), NULL };
+        execv("/usr/bin/true", argv);
+        _exit(127);
+    }
+}

tests/dynamic_fixtures/class_method/c/vuln.c

@@ -0,0 +1,16 @@
+/* Phase 19 (Track M.1) — class-method vuln fixture for C.
+ *
+ * C has no class system; the harness calls a free function whose name
+ * follows the `<Class>_<method>` convention (`UserService_run`). The
+ * function piping `input` straight into `system(3)` is the SINK. */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+void UserService_run(const char *input, size_t len) {
+    (void)len;
+    char buf[512];
+    snprintf(buf, sizeof(buf), "true %s", input ? input : "");
+    /* SINK: tainted input → system(3) */
+    system(buf);
+}