[pitboss/grind] deferred session-0007 (20260522T163126Z-7d60)

2026-06-12 19:55:14 +02:00 · 2026-05-22 14:12:30 -05:00 · 2026-05-22 14:12:30 -05:00 · 9e6b01cd32
commit 9e6b01cd32
parent 77d671060a
3 changed files with 528 additions and 4 deletions
--- a/tests/data_exfil_corpus.rs
+++ b/tests/data_exfil_corpus.rs
@ -147,7 +147,8 @@ mod e2e_data_exfil {
            .join(match lang {
                Lang::Python => "python",
                Lang::Ruby => "ruby",
-                _ => unreachable!("DATA_EXFIL e2e currently covers Python + Ruby"),
+                Lang::JavaScript => "js",
+                _ => unreachable!("DATA_EXFIL e2e currently covers Python + Ruby + JavaScript"),
            })
            .join(fixture);
        let tmp = TempDir::new().expect("create tempdir");
@ -189,7 +190,8 @@ mod e2e_data_exfil {
        let required = match lang {
            Lang::Python => "python3",
            Lang::Ruby => "ruby",
-            _ => unreachable!("DATA_EXFIL e2e currently covers Python + Ruby"),
+            Lang::JavaScript => "node",
+            _ => unreachable!("DATA_EXFIL e2e currently covers Python + Ruby + JavaScript"),
        };
        if !command_available(required) {
            eprintln!("SKIP {lang:?} {fixture}: missing toolchain {required}");
@ -288,4 +290,37 @@ mod e2e_data_exfil {
            "Ruby DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
        );
    }
+
+    /// JavaScript pair, same shape as Python + Ruby: the vuln fixture's
+    /// `http.request({ host, ... })` hits the harness's `http.request`
+    /// shim and the captured `host` flips `OutboundHostNotIn` for the
+    /// attacker payload.  The benign fixture's `ALLOWLIST.has(host)`
+    /// guard short-circuits before the request call for non-loopback
+    /// hosts so no probe fires.  Skips when `node` is not on PATH.
+    #[test]
+    fn javascript_vuln_confirms_via_run_spec() {
+        let Some(outcome) = run(Lang::JavaScript, "vuln.js", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_some(),
+            "JavaScript DATA_EXFIL vuln must confirm via run_spec; got {outcome:?}",
+        );
+        let diff = outcome
+            .differential
+            .as_ref()
+            .expect("confirmed run must carry a DifferentialOutcome");
+        assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
+    }
+
+    #[test]
+    fn javascript_benign_does_not_confirm_via_run_spec() {
+        let Some(outcome) = run(Lang::JavaScript, "benign.js", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_none(),
+            "JavaScript DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
+        );
+    }
 }
--- a/tests/unauthorized_id_corpus.rs
+++ b/tests/unauthorized_id_corpus.rs
@ -138,7 +138,8 @@ mod e2e_unauthorized_id {
            .join(match lang {
                Lang::Python => "python",
                Lang::Ruby => "ruby",
-                _ => unreachable!("UNAUTHORIZED_ID e2e currently covers Python + Ruby"),
+                Lang::JavaScript => "js",
+                _ => unreachable!("UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript"),
            })
            .join(fixture);
        let tmp = TempDir::new().expect("create tempdir");
@ -180,7 +181,8 @@ mod e2e_unauthorized_id {
        let required = match lang {
            Lang::Python => "python3",
            Lang::Ruby => "ruby",
-            _ => unreachable!("UNAUTHORIZED_ID e2e currently covers Python + Ruby"),
+            Lang::JavaScript => "node",
+            _ => unreachable!("UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript"),
        };
        if !command_available(required) {
            eprintln!("SKIP {lang:?} {fixture}: missing toolchain {required}");
@ -278,4 +280,35 @@ mod e2e_unauthorized_id {
            "Ruby UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
        );
    }
+
+    /// JavaScript pair, same shape as Python + Ruby: the vuln fixture
+    /// returns `STORE[ownerId]` for any owner_id, the benign fixture
+    /// returns `null` when `ownerId !== CALLER_ID`.  Skips when `node`
+    /// is not on PATH.
+    #[test]
+    fn javascript_vuln_confirms_via_run_spec() {
+        let Some(outcome) = run(Lang::JavaScript, "vuln.js", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_some(),
+            "JavaScript UNAUTHORIZED_ID vuln must confirm via run_spec; got {outcome:?}",
+        );
+        let diff = outcome
+            .differential
+            .as_ref()
+            .expect("confirmed run must carry a DifferentialOutcome");
+        assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
+    }
+
+    #[test]
+    fn javascript_benign_does_not_confirm_via_run_spec() {
+        let Some(outcome) = run(Lang::JavaScript, "benign.js", "run") else {
+            return;
+        };
+        assert!(
+            outcome.triggered_by.is_none(),
+            "JavaScript UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
+        );
+    }
 }