Dynamic (#77)

2026-06-09 19:45:13 +02:00 · 2026-06-05 10:16:30 -05:00 · 2026-06-05 10:16:30 -05:00 · 991c84a1eb
commit 991c84a1eb
parent 55247b7fcd
1464 changed files with 225448 additions and 1985 deletions
--- a/tests/dynamic_fixtures/python_frameworks/fastapi/benign.py
+++ b/tests/dynamic_fixtures/python_frameworks/fastapi/benign.py
@ -0,0 +1,20 @@
+"""Phase 12 (Track L.10) — FastAPI CMDI benign fixture.
+
+`GET /run?cmd=<...>` rejects anything outside an allowlist before
+invoking `subprocess.run` with a fixed argv, so the sink call is
+unreachable for attacker-controlled values.
+"""
+import subprocess
+from fastapi import FastAPI
+
+app = FastAPI()
+
+_ALLOW = {"status", "uptime", "version"}
+
+
+@app.get("/run")
+def run_cmd(cmd: str = ""):
+    if cmd not in _ALLOW:
+        return {"rejected": True}
+    subprocess.run(["/usr/bin/echo", cmd], check=False)
+    return {"ok": True}
--- a/tests/dynamic_fixtures/python_frameworks/fastapi/vuln.py
+++ b/tests/dynamic_fixtures/python_frameworks/fastapi/vuln.py
@ -0,0 +1,16 @@
+"""Phase 12 (Track L.10) — FastAPI CMDI vuln fixture.
+
+`GET /run?cmd=<...>` forwards the `cmd` query parameter straight into
+`os.system`.  Adapter binding: `@app.get("/run")` with `cmd` flowing
+through the function formal.
+"""
+import os
+from fastapi import FastAPI
+
+app = FastAPI()
+
+
+@app.get("/run")
+def run_cmd(cmd: str = ""):
+    os.system(cmd)
+    return {"ok": True}