mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-30 20:39:39 +02:00
Dynamic (#77)
This commit is contained in:
parent
55247b7fcd
commit
991c84a1eb
1464 changed files with 225448 additions and 1985 deletions
35
tests/dynamic_fixtures/stubs_e2e/php/http/vuln/main.php
Normal file
35
tests/dynamic_fixtures/stubs_e2e/php/http/vuln/main.php
Normal file
|
|
@ -0,0 +1,35 @@
|
|||
<?php
|
||||
// Phase 10 (Track D.3) stub-end-to-end fixture: PHP + HTTP.
|
||||
//
|
||||
// The verifier publishes:
|
||||
//
|
||||
// * NYX_HTTP_ENDPOINT - http://127.0.0.1:{port} the HttpStub listens on.
|
||||
// * NYX_HTTP_LOG - companion log path the harness appends attempted
|
||||
// outbound calls to so the host HttpStub picks them
|
||||
// up on drain_events() even when the request bypasses
|
||||
// the on-the-wire listener (DNS-mocked,
|
||||
// network-isolated sandbox, pre-flight check).
|
||||
//
|
||||
// This fixture exercises the side-channel path: it records an attempted
|
||||
// SSRF call to http://169.254.169.254/latest/meta-data/ through the PHP
|
||||
// shim helper __nyx_stub_http_record without issuing the actual network
|
||||
// call. The companion test in tests/stubs_e2e_per_lang.rs strips this
|
||||
// leading <?php tag, splices in crate::dynamic::lang::php::probe_shim
|
||||
// ahead of the remaining body inside a fresh <?php block, runs it with
|
||||
// both env vars set, and asserts the stub captured the attempt.
|
||||
|
||||
function nyx_e2e_main(): void {
|
||||
$method = 'GET';
|
||||
$url = 'http://169.254.169.254/latest/meta-data/';
|
||||
$body = '';
|
||||
// Record the attempted call through the probe shim so the host
|
||||
// HttpStub captures it on the next drain_events() call even when the
|
||||
// harness never reaches the on-the-wire listener.
|
||||
__nyx_stub_http_record($method, $url, $body, ['driver' => 'curl']);
|
||||
// Echo so the host can confirm the driver ran end-to-end.
|
||||
$endpoint = getenv('NYX_HTTP_ENDPOINT');
|
||||
echo ($endpoint === false || $endpoint === '') ? 'no-endpoint' : $endpoint;
|
||||
echo "\n";
|
||||
}
|
||||
|
||||
nyx_e2e_main();
|
||||
41
tests/dynamic_fixtures/stubs_e2e/php/sql/vuln/main.php
Normal file
41
tests/dynamic_fixtures/stubs_e2e/php/sql/vuln/main.php
Normal file
|
|
@ -0,0 +1,41 @@
|
|||
<?php
|
||||
// Phase 10 (Track D.3) stub-end-to-end fixture: PHP + SQL.
|
||||
//
|
||||
// The verifier publishes:
|
||||
//
|
||||
// NYX_SQL_ENDPOINT absolute path of a SQLite DB the SqlStub owns.
|
||||
// NYX_SQL_LOG companion log path the harness appends executed
|
||||
// queries to so the host SqlStub picks them up on
|
||||
// drain_events().
|
||||
//
|
||||
// This fixture opens the stub DB with stdlib SQLite3, runs a tautology
|
||||
// SELECT (OR 1=1), and forwards the executed query to the stub through
|
||||
// the PHP shim helper __nyx_stub_sql_record. The companion test in
|
||||
// tests/stubs_e2e_per_lang.rs splices in
|
||||
// crate::dynamic::lang::php::probe_shim ahead of this source, runs it
|
||||
// with both env vars set, and asserts the stub captured the tautology.
|
||||
|
||||
function main(): void {
|
||||
$db_path = getenv('NYX_SQL_ENDPOINT');
|
||||
if ($db_path === false || $db_path === '') {
|
||||
return;
|
||||
}
|
||||
$query = "SELECT 1 WHERE 'a' = 'a' OR 1=1 --";
|
||||
$driver = 'none';
|
||||
if (class_exists('SQLite3')) {
|
||||
$driver = 'SQLite3';
|
||||
$db = new SQLite3($db_path);
|
||||
$rows = $db->query($query);
|
||||
if ($rows !== false) {
|
||||
while ($r = $rows->fetchArray(SQLITE3_NUM)) {
|
||||
echo $r[0] . "\n";
|
||||
}
|
||||
}
|
||||
$db->close();
|
||||
}
|
||||
// Record the executed query through the probe shim so the host
|
||||
// SqlStub captures it on the next drain_events() call.
|
||||
__nyx_stub_sql_record($query, ['driver' => $driver]);
|
||||
}
|
||||
|
||||
main();
|
||||
Loading…
Add table
Add a link
Reference in a new issue