Dynamic (#77)

tests/dynamic_fixtures/ruby/controller_method/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Phase 15 fixture — generic controller-method shape.  No framework
+# dep is required at runtime; the Gemfile is informational.

tests/dynamic_fixtures/ruby/controller_method/benign.rb

@@ -0,0 +1,13 @@
+# Phase 15 — generic instance method on a controller, benign.
+
+class LoginController
+  def authenticate(payload)
+    unless payload =~ /\A[A-Za-z0-9]{1,32}\z/
+      STDOUT.print("invalid\n")
+      return "invalid"
+    end
+    out = `echo hello`
+    STDOUT.print(out)
+    out
+  end
+end

tests/dynamic_fixtures/ruby/controller_method/vuln.rb

@@ -0,0 +1,12 @@
+# Phase 15 — generic instance method on a controller, vulnerable.
+# No framework markers — RubyShape::detect picks ControllerMethod
+# from the class+def pair.
+
+class LoginController
+  def authenticate(payload)
+    STDOUT.print("__NYX_SINK_HIT__\n")
+    out = `echo hello #{payload}`
+    STDOUT.print(out)
+    out
+  end
+end