apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Dynamic (#77)

Browse source
This commit is contained in:
Eli Peter 2026-06-05 10:16:30 -05:00 committed by GitHub
parent 55247b7fcd
commit 991c84a1eb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1464 changed files with 225448 additions and 1985 deletions
Download patch file Download diff file Expand all files Collapse all files

12
tests/dynamic_fixtures/xxe/python/benign.py Normal file
View file

@ -0,0 +1,12 @@
"""Phase 05 (Track J.3) — Python XXE benign fixture.
Same parser surface as `vuln.py` but the parser is configured with
`resolve_entities=False` and `no_network=True`, so the same payload's
`<!ENTITY>` block is rejected and no entity body is substituted.
"""
from lxml import etree
def run(body: bytes):
parser = etree.XMLParser(resolve_entities=False, no_network=True)
return etree.fromstring(body, parser=parser)

13
tests/dynamic_fixtures/xxe/python/vuln.py Normal file
View file

@ -0,0 +1,13 @@
"""Phase 05 (Track J.3) — Python XXE vuln fixture.
The function pulls XML bytes off the request and feeds them straight
to `lxml.etree.XMLParser(resolve_entities=True)`, so any
`<!ENTITY xxe SYSTEM "file:///…">` in the payload is resolved and its
body substituted into the parsed tree.
"""
from lxml import etree
def run(body: bytes):
parser = etree.XMLParser(resolve_entities=True)
return etree.fromstring(body, parser=parser)