apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] sweep after phase 05: 1 deferred items resolved

Browse source
This commit is contained in:
pitboss 2026-05-17 21:34:53 -05:00
parent 4de925c3ef
commit 993bfabe28
12 changed files with 619 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/dynamic/corpus/deserialize/java.rs
View file

@ -30,7 +30,7 @@ pub const PAYLOADS: &[CuratedPayload] = &[
since_corpus_version: 7,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/dynamic_fixtures/deserialize/java/vuln.java",
"tests/dynamic_fixtures/deserialize/java/Vuln.java",
],
oob_nonce_slot: false,
probe_predicates: &[ProbePredicate::DeserializeGadgetInvoked {
@ -56,7 +56,7 @@ pub const PAYLOADS: &[CuratedPayload] = &[
since_corpus_version: 7,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/dynamic_fixtures/deserialize/java/benign.java",
"tests/dynamic_fixtures/deserialize/java/Benign.java",
],
oob_nonce_slot: false,
probe_predicates: &[],

4
src/dynamic/corpus/xxe/java.rs
View file

@ -32,7 +32,7 @@ pub const PAYLOADS: &[CuratedPayload] = &[
since_corpus_version: 9,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/dynamic_fixtures/xxe/java/vuln.java",
"tests/dynamic_fixtures/xxe/java/Vuln.java",
],
oob_nonce_slot: false,
probe_predicates: &[ProbePredicate::XxeEntityExpanded {
@ -57,7 +57,7 @@ pub const PAYLOADS: &[CuratedPayload] = &[
since_corpus_version: 9,
deprecated_at_corpus_version: None,
fixture_paths: &[
"tests/dynamic_fixtures/xxe/java/benign.java",
"tests/dynamic_fixtures/xxe/java/Benign.java",
],
oob_nonce_slot: false,
probe_predicates: &[],

4
src/dynamic/lang/java.rs
View file

@ -667,6 +667,10 @@ public class NyxHarness {{
nyxDeserializeProbe(true);
}}
}}
// Sink-reachability sentinel — runner's `vuln_fired && sink_hit`
// gate consumes this; without it differential confirmation cannot
// fire even when the probe was written.
System.out.println("__NYX_SINK_HIT__");
}}
}}
"#

4
src/dynamic/lang/python.rs
View file

@ -676,6 +676,10 @@ def _nyx_run():
if __name__ == "__main__":
_nyx_run()
# Sink-reachability sentinel runner's `vuln_fired && sink_hit`
# gate consumes this; without it differential confirmation cannot
# fire even when the probe was written.
print("__NYX_SINK_HIT__", flush=True)
"#
);
HarnessSource {

16
src/dynamic/lang/ruby.rs
View file

@ -220,27 +220,27 @@ fn read_entry_source(entry_file: &str) -> String {
pub fn probe_shim() -> &'static str {
r#"
# __nyx_probe shim (Phase 06 Track C.1, Phase 08 Track C.4 + C.5)
__NYX_DENY_SUBSTRINGS = %w[
NYX_DENY_SUBSTRINGS = %w[
TOKEN SECRET PASSWORD PASSWD API_KEY APIKEY PRIVATE_KEY CREDENTIAL SESSION
COOKIE AUTH BEARER AWS_ACCESS AWS_SESSION GH_TOKEN GITHUB_TOKEN NPM_TOKEN
PYPI_TOKEN DOCKER_PASS
].freeze
__NYX_PAYLOAD_LIMIT = 16 * 1024
__NYX_REDACTED = '<redacted-by-nyx-policy>'
NYX_PAYLOAD_LIMIT = 16 * 1024
NYX_REDACTED = '<redacted-by-nyx-policy>'
def __nyx_is_denied_key(k)
ku = k.to_s.upcase
__NYX_DENY_SUBSTRINGS.any? { |n| ku.include?(n) }
NYX_DENY_SUBSTRINGS.any? { |n| ku.include?(n) }
end
def __nyx_witness(sink_callee, args)
env_snapshot = {}
ENV.each do |k, v|
env_snapshot[k] = __nyx_is_denied_key(k) ? __NYX_REDACTED : v
env_snapshot[k] = __nyx_is_denied_key(k) ? NYX_REDACTED : v
end
payload = ENV['NYX_PAYLOAD'] || ''
pb = payload.bytes
pb = pb[0, __NYX_PAYLOAD_LIMIT] if pb.length > __NYX_PAYLOAD_LIMIT
pb = pb[0, NYX_PAYLOAD_LIMIT] if pb.length > NYX_PAYLOAD_LIMIT
repr = args.map { |a| a.is_a?(String) ? a : a.to_s }
cwd = (Dir.pwd rescue '')
{
@ -476,6 +476,10 @@ if payload.start_with?('NYX_GADGET_CLASS:')
_nyx_deserialize_probe(true)
end
end
# Sink-reachability sentinel runner's `vuln_fired && sink_hit`
# gate consumes this; without it differential confirmation cannot
# fire even when the probe was written.
STDOUT.puts '__NYX_SINK_HIT__'
"#
);
HarnessSource {