Dynamic (#77)

tests/dynamic_fixtures/javascript/async_function/benign.js

@@ -0,0 +1,24 @@
+// Phase 13 — bare async function, benign control.
+//
+// execFile (no shell) via util.promisify(execFile).  Payload never reaches a
+// shell; stderr silenced so payload bytes do not leak via the inner process'
+// error message.
+
+'use strict';
+const { execFile } = require('child_process');
+const { promisify } = require('util');
+const execFileP = promisify(execFile);
+
+async function runPing(host) {
+    process.stdout.write('__NYX_SINK_HIT__\n');
+    try {
+        const { stdout } = await execFileP('true', [host], {
+            timeout: 5000,
+        });
+        return stdout;
+    } catch (_e) {
+        return 'err';
+    }
+}
+
+module.exports = { runPing };

tests/dynamic_fixtures/javascript/async_function/vuln.js

@@ -0,0 +1,25 @@
+// Phase 13 — bare async function, vulnerable.
+//
+// Stdlib-only.  Async function awaits `child_process.exec` via util.promisify
+// so the harness's `await _entry.runPing(payload)` resolves before the
+// process exits.
+
+'use strict';
+const { exec } = require('child_process');
+const { promisify } = require('util');
+const execP = promisify(exec);
+
+async function runPing(host) {
+    process.stdout.write('__NYX_SINK_HIT__\n');
+    try {
+        const { stdout } = await execP('echo hello ' + host, { timeout: 5000 });
+        process.stdout.write(stdout);
+        return stdout;
+    } catch (e) {
+        const out = (e.stdout || '') + (e.stderr || '');
+        process.stdout.write(out);
+        return out;
+    }
+}
+
+module.exports = { runPing };