[pitboss/grind] deferred session-0006 (20260520T233019Z-6958)

2026-06-21 20:18:06 +02:00 · 2026-05-20 23:44:34 -05:00 · 2026-05-20 23:44:34 -05:00 · 9a0529e8f8
commit 9a0529e8f8
parent c885a8d424
16 changed files with 1455 additions and 280 deletions
--- a/tests/dynamic_sandbox_escape.rs
+++ b/tests/dynamic_sandbox_escape.rs
@ -509,19 +509,17 @@ mod escape_tests {
        let opts = escape_opts();

        // First run — starts a new container.
-        let r1 = sandbox::run(&harness, &noop_payload(), &opts);
+        let r1 = sandbox::run(&harness, noop_payload(), &opts);
        // Second run — should exec into the running container.
-        let r2 = sandbox::run(&harness, &noop_payload(), &opts);
+        let r2 = sandbox::run(&harness, noop_payload(), &opts);

        // Both should succeed (blocked, not escaped — dns_leak exits 1).
        // The important thing is neither panics or returns an unexpected error.
-        match r1 {
-            Err(SandboxError::BackendUnavailable(_)) => return,
-            _ => {}
+        if let Err(SandboxError::BackendUnavailable(_)) = r1 {
+            return;
        }
-        match r2 {
-            Err(SandboxError::BackendUnavailable(_)) => return,
-            _ => {}
+        if let Err(SandboxError::BackendUnavailable(_)) = r2 {
+            return;
        }

        // Verify the container is still running (not torn down between calls).
--- a/tests/ssti_corpus.rs
+++ b/tests/ssti_corpus.rs
@ -248,10 +248,18 @@ fn framework_adapters_detect_ssti_sink() {
        let mut parser = tree_sitter::Parser::new();
        parser.set_language(&ts_lang).unwrap();
        let tree = parser.parse(&bytes, None).unwrap();
+        // Each vuln fixture's `run` function takes `body` as its
+        // single param and pipes it into the SSTI engine.  Seed the
+        // summary with `body` at index 0 and mark that index as a
+        // tainted sink participant so the strengthened AST gate
+        // (added with the comment-substring FP fix) fires.
        let mut summary = FuncSummary {
            name: "run".into(),
            file_path: fixture.to_owned(),
            lang: slug(lang).into(),
+            param_count: 1,
+            param_names: vec!["body".into()],
+            tainted_sink_params: vec![0],
            ..Default::default()
        };
        // Seed the canonical sink callee per language so the
--- a/tests/xpath_corpus.rs
+++ b/tests/xpath_corpus.rs
@ -329,10 +329,18 @@ fn framework_adapters_detect_xpath_sink() {
        let mut parser = tree_sitter::Parser::new();
        parser.set_language(&ts_lang).unwrap();
        let tree = parser.parse(&bytes, None).unwrap();
+        // Each vuln fixture's `run` function takes `name` as its
+        // single param and concats it into the XPath expression.
+        // The strengthened adapters (one-hop local-assignment chase
+        // plus tainted-param participation) need the summary to
+        // mark index 0 as a tainted sink participant.
        let mut summary = FuncSummary {
            name: "run".into(),
            file_path: fixture.to_owned(),
            lang: slug(lang).into(),
+            param_count: 1,
+            param_names: vec!["name".into()],
+            tainted_sink_params: vec![0],
            ..Default::default()
        };
        summary