Dynamic (#77)

tests/dynamic_fixtures/javascript/koa/benign.js

@@ -0,0 +1,26 @@
+// Phase 13 — Koa middleware, benign control.
+//
+// execFile (no shell), stderr silenced, child writes nothing to stdout.
+
+'use strict';
+const Koa = require('koa');
+const { execFileSync } = require('child_process');
+
+async function ping(ctx) {
+    const host = (ctx.query && ctx.query.host) || '';
+    process.stdout.write('__NYX_SINK_HIT__\n');
+    try {
+        execFileSync('true', [host], {
+            encoding: 'utf8',
+            timeout: 5000,
+            stdio: ['ignore', 'pipe', 'ignore'],
+        });
+        ctx.body = 'ok';
+    } catch (_e) {
+        ctx.body = 'err';
+    }
+}
+
+void Koa;
+
+module.exports = { ping };

tests/dynamic_fixtures/javascript/koa/package-lock.json

@@ -0,0 +1,12 @@
+{
+  "name": "nyx-harness-koa",
+  "version": "0.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "nyx-harness-koa",
+      "version": "0.0.0"
+    }
+  }
+}

tests/dynamic_fixtures/javascript/koa/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "nyx-harness-koa",
+  "version": "0.0.0",
+  "private": true,
+  "dependencies": {
+    "koa": "^2.15.3"
+  }
+}

tests/dynamic_fixtures/javascript/koa/vuln.js

@@ -0,0 +1,23 @@
+// Phase 13 — Koa middleware, vulnerable.
+//
+// Vulnerable middleware reads `ctx.query.host` and concatenates it into a
+// shell command.  Harness builds a mock ctx via js_shared::emit_koa.
+
+'use strict';
+const Koa = require('koa');
+const { execSync } = require('child_process');
+
+async function ping(ctx) {
+    const host = (ctx.query && ctx.query.host) || '';
+    process.stdout.write('__NYX_SINK_HIT__\n');
+    try {
+        const out = execSync('echo hello ' + host, { encoding: 'utf8', timeout: 5000 });
+        ctx.body = out;
+    } catch (e) {
+        ctx.body = (e.stdout || '') + (e.stderr || '');
+    }
+}
+
+void Koa;
+
+module.exports = { ping };