[pitboss] phase 03: Track J.1 + Track L.1 — DESERIALIZE corpus + Java/Python/PHP/Ruby adapters

tests/dynamic_fixtures/deserialize/php/benign.php

@@ -0,0 +1,8 @@
+<?php
+// Phase 03 (Track J.1) — PHP deserialize benign fixture.
+//
+// Passes `allowed_classes => false` so every object becomes a
+// `__PHP_Incomplete_Class` instead of materialising the gadget.
+function run(string $blob) {
+    return unserialize($blob, ['allowed_classes' => false]);
+}

tests/dynamic_fixtures/deserialize/php/vuln.php

@@ -0,0 +1,9 @@
+<?php
+// Phase 03 (Track J.1) — PHP deserialize vuln fixture.
+//
+// `unserialize` without `allowed_classes` will materialise any
+// `O:N:"ClassName":` blob the attacker sends, triggering `__wakeup`
+// / `__destruct` chains.
+function run(string $blob) {
+    return unserialize($blob);
+}