Dynamic (#77)

tests/dynamic_fixtures/js_frameworks/express/benign.js

@@ -0,0 +1,28 @@
+// Phase 13 (Track L.11) — Express CMDI benign fixture.
+//
+// The `/run` route accepts a `cmd` query parameter but rejects
+// everything outside an allowlist before invoking `child_process.exec`
+// with a fixed argv, so the sink call is unreachable for
+// attacker-controlled values.
+
+const express = require('express');
+const { execFile } = require('child_process');
+
+const app = express();
+
+const ALLOW = new Set(['status', 'uptime', 'version']);
+
+function runCmd(req, res) {
+    const cmd = req.query.cmd || '';
+    if (!ALLOW.has(cmd)) {
+        return res.status(400).send('rejected');
+    }
+    execFile('/usr/bin/echo', [cmd], (err, stdout) => {
+        if (err) return res.status(500).send(String(err));
+        res.send(stdout);
+    });
+}
+
+app.get('/run', runCmd);
+
+module.exports = { app, runCmd };

tests/dynamic_fixtures/js_frameworks/express/vuln.js

@@ -0,0 +1,23 @@
+// Phase 13 (Track L.11) — Express CMDI vuln fixture.
+//
+// The `/run` route forwards a `cmd` query parameter straight into
+// `child_process.exec`, so any attacker who reaches the route can
+// execute arbitrary shell.  Adapter binding:
+// `app.get('/run', runCmd)` with `cmd` flowing through `req.query.cmd`.
+
+const express = require('express');
+const { exec } = require('child_process');
+
+const app = express();
+
+function runCmd(req, res) {
+    const cmd = req.query.cmd || '';
+    exec('ls ' + cmd, (err, stdout) => {
+        if (err) return res.status(500).send(String(err));
+        res.send(stdout);
+    });
+}
+
+app.get('/run', runCmd);
+
+module.exports = { app, runCmd };

tests/dynamic_fixtures/js_frameworks/fastify/benign.js

@@ -0,0 +1,28 @@
+// Phase 13 (Track L.11) — Fastify CMDI benign fixture.
+//
+// The `/run` route accepts a `cmd` query parameter but rejects
+// everything outside an allowlist before invoking
+// `child_process.execFile` with a fixed argv.
+
+const fastify = require('fastify')();
+const { execFile } = require('child_process');
+
+const ALLOW = new Set(['status', 'uptime', 'version']);
+
+async function runCmd(request, reply) {
+    const cmd = request.query.cmd || '';
+    if (!ALLOW.has(cmd)) {
+        reply.code(400).send('rejected');
+        return;
+    }
+    const out = await new Promise((resolve) => {
+        execFile('/usr/bin/echo', [cmd], (err, stdout) => {
+            resolve(err ? String(err) : stdout);
+        });
+    });
+    reply.send(out);
+}
+
+fastify.get('/run', runCmd);
+
+module.exports = { app: fastify, runCmd };

tests/dynamic_fixtures/js_frameworks/fastify/vuln.js

@@ -0,0 +1,20 @@
+// Phase 13 (Track L.11) — Fastify CMDI vuln fixture.
+//
+// The `/run` route forwards a `cmd` query parameter straight into
+// `child_process.exec`.  Adapter binding: `fastify.get('/run', runCmd)`
+// with `cmd` flowing through `request.query.cmd`.
+
+const fastify = require('fastify')();
+const { exec } = require('child_process');
+
+async function runCmd(request, reply) {
+    const cmd = request.query.cmd || '';
+    const out = await new Promise((resolve) => {
+        exec('ls ' + cmd, (err, stdout) => resolve(err ? String(err) : stdout));
+    });
+    reply.send(out);
+}
+
+fastify.get('/run', runCmd);
+
+module.exports = { app: fastify, runCmd };

tests/dynamic_fixtures/js_frameworks/koa/benign.js

@@ -0,0 +1,34 @@
+// Phase 13 (Track L.11) — Koa CMDI benign fixture.
+//
+// The `/run` route accepts a `cmd` query parameter but rejects
+// everything outside an allowlist before invoking `child_process.execFile`
+// with a fixed argv.
+
+const Koa = require('koa');
+const Router = require('@koa/router');
+const { execFile } = require('child_process');
+
+const app = new Koa();
+const router = new Router();
+
+const ALLOW = new Set(['status', 'uptime', 'version']);
+
+async function runCmd(ctx) {
+    const cmd = ctx.query.cmd || '';
+    if (!ALLOW.has(cmd)) {
+        ctx.status = 400;
+        ctx.body = 'rejected';
+        return;
+    }
+    await new Promise((resolve) => {
+        execFile('/usr/bin/echo', [cmd], (err, stdout) => {
+            ctx.body = err ? String(err) : stdout;
+            resolve();
+        });
+    });
+}
+
+router.get('/run', runCmd);
+app.use(router.routes());
+
+module.exports = { app, runCmd };

tests/dynamic_fixtures/js_frameworks/koa/vuln.js

@@ -0,0 +1,27 @@
+// Phase 13 (Track L.11) — Koa CMDI vuln fixture.
+//
+// The `/run` route forwards a `cmd` query parameter straight into
+// `child_process.exec`.  Adapter binding: `router.get('/run', runCmd)`
+// with `cmd` flowing through `ctx.query.cmd`.
+
+const Koa = require('koa');
+const Router = require('@koa/router');
+const { exec } = require('child_process');
+
+const app = new Koa();
+const router = new Router();
+
+async function runCmd(ctx) {
+    const cmd = ctx.query.cmd || '';
+    await new Promise((resolve) => {
+        exec('ls ' + cmd, (err, stdout) => {
+            ctx.body = err ? String(err) : stdout;
+            resolve();
+        });
+    });
+}
+
+router.get('/run', runCmd);
+app.use(router.routes());
+
+module.exports = { app, runCmd };

tests/dynamic_fixtures/js_frameworks/nest/benign.js

@@ -0,0 +1,26 @@
+// Phase 13 (Track L.11) — NestJS CMDI benign fixture.  Same adapter
+// binding shape as the vuln fixture; the differential outcome is what
+// distinguishes the two.
+
+require('reflect-metadata');
+const { Controller, Get, Query } = require('@nestjs/common');
+const { execFile } = require('child_process');
+
+const ALLOW = new Set(['status', 'uptime', 'version']);
+
+@Controller('')
+class AppController {
+    @Get('run')
+    runCmd(@Query('cmd') cmd) {
+        if (!ALLOW.has(cmd || '')) {
+            return 'rejected';
+        }
+        return new Promise((resolve) => {
+            execFile('/usr/bin/echo', [cmd], (err, stdout) => {
+                resolve(err ? String(err) : stdout);
+            });
+        });
+    }
+}
+
+module.exports = { AppController };

tests/dynamic_fixtures/js_frameworks/nest/vuln.js

@@ -0,0 +1,27 @@
+// Phase 13 (Track L.11) — NestJS CMDI vuln fixture (Babel-stage-1
+// decorator syntax form).  Real Nest projects publish their
+// controllers either as `.ts` files or as Babel-transpiled `.js`
+// carrying the inline decorator syntax via `@babel/plugin-proposal-decorators`
+// + `reflect-metadata`.  The adapter binds the decorator syntax;
+// the harness loads the entry via `Test.createTestingModule`.
+//
+// Adapter binding: `@Controller('')` + `@Get('run')` on
+// `AppController.runCmd` with `cmd` flowing through `@Query('cmd')`.
+
+require('reflect-metadata');
+const { Controller, Get, Query } = require('@nestjs/common');
+const { exec } = require('child_process');
+
+@Controller('')
+class AppController {
+    @Get('run')
+    runCmd(@Query('cmd') cmd) {
+        return new Promise((resolve) => {
+            exec('ls ' + (cmd || ''), (err, stdout) => {
+                resolve(err ? String(err) : stdout);
+            });
+        });
+    }
+}
+
+module.exports = { AppController };