Dynamic (#77)

tests/dynamic_fixtures/xpath_injection/php/benign.php

@@ -0,0 +1,24 @@
+<?php
+// Phase 07 (Track J.5) — PHP XPATH_INJECTION benign control fixture.
+//
+// Same shape as `vuln.php` but routes the attacker-controlled `$name`
+// through a small XPath-string-literal escape helper before splicing
+// it into the expression, so the selector stays pinned to a single
+// node.
+function nyx_xpath_escape($s) {
+    if (strpos($s, "'") === false) {
+        return "'" . $s . "'";
+    }
+    if (strpos($s, '"') === false) {
+        return '"' . $s . '"';
+    }
+    return "concat('" . str_replace("'", "',\"'\",'", $s) . "')";
+}
+
+function run($name) {
+    $doc = new DOMDocument();
+    $doc->load('xpath_corpus.xml');
+    $xp = new DOMXPath($doc);
+    $expr = "//user[@name=" . nyx_xpath_escape($name) . "]";
+    return $xp->query($expr);
+}

tests/dynamic_fixtures/xpath_injection/php/vuln.php

@@ -0,0 +1,15 @@
+<?php
+// Phase 07 (Track J.5) — PHP XPATH_INJECTION vuln fixture.
+//
+// The function string-concatenates the attacker-controlled `$name`
+// directly into an XPath expression evaluated by `DOMXPath::query`.
+// A payload like `alice' or '1'='1` rewraps the selector as
+// `//user[@name='alice' or '1'='1']`, matching every <user> node in
+// the staged `xpath_corpus.xml`.
+function run($name) {
+    $doc = new DOMDocument();
+    $doc->load('xpath_corpus.xml');
+    $xp = new DOMXPath($doc);
+    $expr = "//user[@name='" . $name . "']";
+    return $xp->query($expr);
+}