Dynamic (#77)

2026-06-15 20:05:13 +02:00 · 2026-06-05 10:16:30 -05:00 · 2026-06-05 10:16:30 -05:00 · 991c84a1eb
commit 991c84a1eb
parent 55247b7fcd
1464 changed files with 225448 additions and 1985 deletions
--- a/tests/dynamic_fixtures/php_frameworks/codeigniter/benign.php
+++ b/tests/dynamic_fixtures/php_frameworks/codeigniter/benign.php
@ -0,0 +1,24 @@
+<?php
+// CodeIgniter-style route, benign sanitised payload.
+
+namespace App\Controllers;
+
+use CodeIgniter\Controller;
+use CodeIgniter\Router\RouteCollection;
+
+function nyx_register_routes(RouteCollection $routes): void
+{
+    $routes->get('run/(:any)', 'App\\Controllers\\UserController::run');
+}
+
+class UserController extends Controller
+{
+    public function run(string $payload): string
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "true " . escapeshellarg($payload);
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return $out;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/codeigniter/composer.json
+++ b/tests/dynamic_fixtures/php_frameworks/codeigniter/composer.json
@ -0,0 +1,7 @@
+{
+  "name": "nyx/fixture-codeigniter",
+  "require": {
+    "php": ">=8.1",
+    "codeigniter4/framework": "^4.4"
+  }
+}
--- a/tests/dynamic_fixtures/php_frameworks/codeigniter/vuln.php
+++ b/tests/dynamic_fixtures/php_frameworks/codeigniter/vuln.php
@ -0,0 +1,24 @@
+<?php
+// CodeIgniter-style route, vulnerable.
+
+namespace App\Controllers;
+
+use CodeIgniter\Controller;
+use CodeIgniter\Router\RouteCollection;
+
+function nyx_register_routes(RouteCollection $routes): void
+{
+    $routes->get('run/(:any)', 'App\\Controllers\\UserController::run');
+}
+
+class UserController extends Controller
+{
+    public function run(string $payload): string
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . $payload;
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return $out;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/codeigniter_config/app/Config/Routes.php
+++ b/tests/dynamic_fixtures/php_frameworks/codeigniter_config/app/Config/Routes.php
@ -0,0 +1,4 @@
+<?php
+use CodeIgniter\Router\RouteCollection;
+
+$routes->get('users/(:num)', 'UserController::show');
--- a/tests/dynamic_fixtures/php_frameworks/codeigniter_config/app/Controllers/UserController.php
+++ b/tests/dynamic_fixtures/php_frameworks/codeigniter_config/app/Controllers/UserController.php
@ -0,0 +1,10 @@
+<?php
+namespace App\Controllers;
+
+class UserController extends BaseController
+{
+    public function show($num)
+    {
+        return $num;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel/benign.php
+++ b/tests/dynamic_fixtures/php_frameworks/laravel/benign.php
@ -0,0 +1,23 @@
+<?php
+// Laravel-style route, benign sanitised payload.
+
+namespace App\Http\Controllers;
+
+use Illuminate\Routing\Router;
+
+function nyx_register_routes(Router $router): void
+{
+    $router->get('/run/{payload}', [UserController::class, 'run']);
+}
+
+class UserController
+{
+    public function run(string $payload): string
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "true " . escapeshellarg($payload);
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return $out;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel/composer.json
+++ b/tests/dynamic_fixtures/php_frameworks/laravel/composer.json
@ -0,0 +1,7 @@
+{
+  "name": "nyx/fixture-laravel",
+  "require": {
+    "php": ">=8.1",
+    "laravel/framework": "^11.0"
+  }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel/vuln.php
+++ b/tests/dynamic_fixtures/php_frameworks/laravel/vuln.php
@ -0,0 +1,23 @@
+<?php
+// Laravel-style route, vulnerable.
+
+namespace App\Http\Controllers;
+
+use Illuminate\Routing\Router;
+
+function nyx_register_routes(Router $router): void
+{
+    $router->get('/run/{payload}', [UserController::class, 'run']);
+}
+
+class UserController
+{
+    public function run(string $payload): string
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . $payload;
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return $out;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/benign.php
+++ b/tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/benign.php
@ -0,0 +1,28 @@
+<?php
+// Same route shape as vuln.php, but quotes the payload before invoking
+// the shell so the command-injection marker remains inert.
+
+namespace App\Http\Controllers;
+
+use Illuminate\Routing\Router;
+
+function nyx_register_routes(Router $router): void
+{
+    $router->match(['GET', 'POST'], '/run/{payload}', [UserController::class, 'run']);
+}
+
+class UserController
+{
+    public function run(string $payload): ?string
+    {
+        if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
+            echo "__NYX_METHOD_SKIP__\n";
+            return null;
+        }
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "true " . escapeshellarg($payload);
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return $out;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/composer.json
+++ b/tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/composer.json
@ -0,0 +1,7 @@
+{
+  "name": "nyx/fixture-laravel-multi-verb",
+  "require": {
+    "php": ">=8.1",
+    "laravel/framework": "^11.0"
+  }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/vuln.php
+++ b/tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/vuln.php
@ -0,0 +1,28 @@
+<?php
+// Laravel-style multi-verb route fixture. The vulnerable sink is gated
+// to POST so verifier runs that exercise only GET miss the command injection.
+
+namespace App\Http\Controllers;
+
+use Illuminate\Routing\Router;
+
+function nyx_register_routes(Router $router): void
+{
+    $router->match(['GET', 'POST'], '/run/{payload}', [UserController::class, 'run']);
+}
+
+class UserController
+{
+    public function run(string $payload): ?string
+    {
+        if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
+            echo "__NYX_METHOD_SKIP__\n";
+            return null;
+        }
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "true " . $payload;
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return $out;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel_routes/app/Http/Controllers/UserController.php
+++ b/tests/dynamic_fixtures/php_frameworks/laravel_routes/app/Http/Controllers/UserController.php
@ -0,0 +1,10 @@
+<?php
+namespace App\Http\Controllers;
+
+class UserController
+{
+    public function show($id)
+    {
+        return $id;
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/laravel_routes/routes/web.php
+++ b/tests/dynamic_fixtures/php_frameworks/laravel_routes/routes/web.php
@ -0,0 +1,5 @@
+<?php
+use Illuminate\Support\Facades\Route;
+use App\Http\Controllers\UserController;
+
+Route::get('/users/{id}', [UserController::class, 'show'])->middleware('auth');
--- a/tests/dynamic_fixtures/php_frameworks/symfony/benign.php
+++ b/tests/dynamic_fixtures/php_frameworks/symfony/benign.php
@ -0,0 +1,35 @@
+<?php
+// Symfony-style route via RouteCollection and HttpKernel, benign sanitised payload.
+
+namespace App\Controller;
+
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Routing\Route as SymfonyRoute;
+use Symfony\Component\Routing\RouteCollection;
+
+function nyx_register_routes(RouteCollection $routes): void
+{
+    $routes->add('nyx_run', new SymfonyRoute(
+        '/run/{payload}',
+        ['_controller' => [new UserController(), 'run']],
+        [],
+        [],
+        '',
+        [],
+        ['GET']
+    ));
+}
+
+class UserController
+{
+    #[Route('/run/{payload}', methods: ['GET'])]
+    public function run(string $payload): Response
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "true " . escapeshellarg($payload);
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return new Response($out);
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/symfony/composer.json
+++ b/tests/dynamic_fixtures/php_frameworks/symfony/composer.json
@ -0,0 +1,9 @@
+{
+  "name": "nyx/fixture-symfony",
+  "require": {
+    "php": ">=8.1",
+    "symfony/framework-bundle": "^7.0",
+    "symfony/routing": "^7.0",
+    "symfony/http-kernel": "^7.0"
+  }
+}
--- a/tests/dynamic_fixtures/php_frameworks/symfony/vuln.php
+++ b/tests/dynamic_fixtures/php_frameworks/symfony/vuln.php
@ -0,0 +1,35 @@
+<?php
+// Symfony-style route via RouteCollection and HttpKernel, vulnerable.
+
+namespace App\Controller;
+
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Routing\Route as SymfonyRoute;
+use Symfony\Component\Routing\RouteCollection;
+
+function nyx_register_routes(RouteCollection $routes): void
+{
+    $routes->add('nyx_run', new SymfonyRoute(
+        '/run/{payload}',
+        ['_controller' => [new UserController(), 'run']],
+        [],
+        [],
+        '',
+        [],
+        ['GET']
+    ));
+}
+
+class UserController
+{
+    #[Route('/run/{payload}', methods: ['GET'])]
+    public function run(string $payload): Response
+    {
+        echo "__NYX_SINK_HIT__\n";
+        $cmd = "echo hello " . $payload;
+        $out = shell_exec($cmd) ?? '';
+        echo $out;
+        return new Response($out);
+    }
+}
--- a/tests/dynamic_fixtures/php_frameworks/symfony_yaml/config/routes.yaml
+++ b/tests/dynamic_fixtures/php_frameworks/symfony_yaml/config/routes.yaml
@ -0,0 +1,4 @@
+report_show:
+  path: /reports/{id}
+  controller: App\Controller\ReportController::show
+  methods: [POST]
--- a/tests/dynamic_fixtures/php_frameworks/symfony_yaml/src/Controller/ReportController.php
+++ b/tests/dynamic_fixtures/php_frameworks/symfony_yaml/src/Controller/ReportController.php
@ -0,0 +1,12 @@
+<?php
+namespace App\Controller;
+
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+
+class ReportController extends AbstractController
+{
+    public function show($id)
+    {
+        return $id;
+    }
+}