Dynamic (#77)

tests/dynamic_fixtures/header_injection/python_raw/vuln.py

@@ -0,0 +1,37 @@
+# Phase 08 (Track J.6) — Python raw-socket HEADER_INJECTION vuln fixture.
+#
+# Writes the response status line and headers directly to the wire via
+# `self.wfile.write`, bypassing the framework-level CRLF validator that
+# werkzeug / Flask / axum / Tomcat would otherwise interpose.  A payload
+# carrying `\r\nSet-Cookie: ...` splits the single Set-Cookie header
+# into two on the wire, producing the canonical smuggled-second-header
+# shape that `ProbeKind::HeaderWireFrame` is designed to catch.
+#
+# The harness (`src/dynamic/lang/python.rs::emit_header_injection_harness`)
+# detects the `BaseHTTPRequestHandler` import in this file and routes
+# through the tier-(b) wire-frame branch: boot `HTTPServer` on a
+# loopback port, issue one `GET /` over a raw socket, read the bytes
+# the handler wrote to the response socket, and emit them as a
+# `ProbeKind::HeaderWireFrame` record.
+from http.server import BaseHTTPRequestHandler
+
+
+class VulnHandler(BaseHTTPRequestHandler):
+    # Set by the harness before each request.  Bytes go straight onto
+    # the wire with no encoding pass.
+    cookie_value: bytes = b""
+
+    def do_GET(self):
+        body = b"ok\n"
+        raw = (
+            b"HTTP/1.0 200 OK\r\n"
+            b"Content-Length: " + str(len(body)).encode("ascii") + b"\r\n"
+            b"Set-Cookie: " + self.__class__.cookie_value + b"\r\n"
+            b"\r\n"
+        ) + body
+        self.wfile.write(raw)
+
+    def log_message(self, *args, **kwargs):
+        # Silence default stderr logging so the harness captures only
+        # the probe + sink-hit sentinel.
+        return