apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-24 20:28:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

Python fp and docs updtes (#58)

Browse source 
* refactor: Update comments for clarity and add expectations.json files for performance metrics

* feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks

* feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks

* refactor: Simplify code formatting for better readability in multiple files

* refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration

* feat: Update Java and Python patterns to include new security rules

* refactor: Improve comment clarity and consistency across multiple Rust files

* refactor: Simplify code formatting for improved readability in integration tests and module files

* refactor: Improve comment formatting and enhance clarity in assertions across multiple files
This commit is contained in:
Eli Peter 2026-04-29 19:53:34 -04:00 committed by GitHub
parent 4db0805de6
commit a438886217
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
291 changed files with 9485 additions and 3851 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/fixtures/real_world/javascript/taint/fetch_object_url_tainted_fires.expect.json vendored
View file

@ -1,6 +1,6 @@
{
"description": "fetch({url: taintedUrl, body: fixed}) — destination-aware object-literal case. url is tainted, must fire.",
"tags": ["taint", "ssrf", "fetch", "destination-aware", "object-config"],
"description": "fetch({url: taintedUrl, body: fixed}) — destination-aware object-literal case. url is tainted (SSRF), body is fixed. SSRF must fire and the cross-boundary data-exfiltration class (Cap::DATA_EXFIL) must NOT fire — the two classes share the callee but cap attribution is per-position.",
"tags": ["taint", "ssrf", "fetch", "destination-aware", "object-config", "cap-attribution"],
"modes": ["full"],
"expected": [
{
@ -10,6 +10,12 @@
"line_range": [6, 14],
"evidence_contains": [],
"notes": "req.query.target → fetch({url: target, ...}) — tainted destination field under object-literal shape."
},
{
"rule_id": "taint-data-exfiltration",
"must_not_match": true,
"line_range": [6, 14],
"notes": "body is a fixed literal '{}' — DATA_EXFIL must NOT fire on this site (regression guard for per-cap attribution)."
}
]
}

10
tests/fixtures/real_world/javascript/taint/fetch_tainted_body_safe.expect.json vendored
View file

@ -1,6 +1,6 @@
{
"description": "fetch() request body carries attacker-controlled content but the destination URL is fixed. Under the destination-aware SSRF gate, only taint reaching the URL (arg 0 / object `url` field) activates — body taint must be silenced.",
"tags": ["taint", "ssrf", "fetch", "destination-aware", "regression-fp"],
"description": "fetch() with a fixed destination URL and an attacker-controlled body. SSRF must NOT fire (destination is not attacker-influenced) and the cross-boundary data-exfiltration class (Cap::DATA_EXFIL) MUST fire on the body field.",
"tags": ["taint", "data-exfil", "fetch", "destination-aware", "cap-attribution"],
"modes": ["full"],
"expected": [
{
@ -8,6 +8,12 @@
"must_not_match": true,
"line_range": [7, 14],
"notes": "fetch('/api/telemetry', {body: payload}) — arg 0 is a fixed string, body taint must not fire as SSRF."
},
{
"rule_id": "taint-data-exfiltration",
"must_match": true,
"line_range": [7, 14],
"notes": "Body field carries req.body.message → must fire DATA_EXFIL (sensitive data leaving the process via outbound request payload)."
}
]
}