apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-27 20:29:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 15: Track B — Go + PHP + Ruby harness emitter shapes

Browse source
This commit is contained in:
pitboss 2026-05-14 17:45:42 -05:00
parent 919bc4e7e2
commit a9b61a9126
39 changed files with 2142 additions and 186 deletions
Download patch file Download diff file Expand all files Collapse all files

11
tests/dynamic_fixtures/php/cli_script/benign.php Normal file
View file

@ -0,0 +1,11 @@
<?php
// Phase 15 — CLI script with $argv, benign.
// Validates $argv[1] then runs a fixed echo.
$payload = $argv[1] ?? '';
if (!preg_match('/^[A-Za-z0-9]{1,32}$/', $payload)) {
echo "invalid\n";
exit(0);
}
$out = shell_exec("echo hello");
echo $out;

6
tests/dynamic_fixtures/php/cli_script/composer.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "nyx/cli-script-fixture",
"require": {
"php": ">=8.0"
}
}

9
tests/dynamic_fixtures/php/cli_script/vuln.php Normal file
View file

@ -0,0 +1,9 @@
<?php
// Phase 15 — CLI script with $argv, vulnerable.
// Top-level body reads $argv[1] and pipes to /bin/sh -c.
echo "__NYX_SINK_HIT__\n";
$payload = $argv[1] ?? '';
$out = shell_exec("echo hello " . $payload);
echo $out;

17
tests/dynamic_fixtures/php/route_closure/benign.php Normal file
View file

@ -0,0 +1,17 @@
<?php
// Phase 15 — Slim/Laravel-style route closure, benign.
// Validates payload before invoking sink.
$GLOBALS['__nyx_route'] = function ($payload) {
if (!preg_match('/^[A-Za-z0-9]{1,32}$/', (string)$payload)) {
echo "invalid\n";
return "invalid";
}
$out = shell_exec("echo hello");
echo $out;
return $out;
};
if (false) {
$app->get('/run', $GLOBALS['__nyx_route']);
}

6
tests/dynamic_fixtures/php/route_closure/composer.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "nyx/route-closure-fixture",
"require": {
"php": ">=8.0"
}
}

17
tests/dynamic_fixtures/php/route_closure/vuln.php Normal file
View file

@ -0,0 +1,17 @@
<?php
// Phase 15 — Slim/Laravel-style route closure, vulnerable.
// Reads payload and pipes to /bin/sh -c.
// Entry: route closure Cap: CODE_EXEC
echo "__NYX_SINK_HIT__\n";
$GLOBALS['__nyx_route'] = function ($payload) {
$out = shell_exec("echo hello " . $payload);
echo $out;
return $out;
};
// Slim-shape marker so PhpShape::detect picks RouteClosure.
if (false) {
$app->get('/run', $GLOBALS['__nyx_route']);
}

11
tests/dynamic_fixtures/php/top_level_script/benign.php Normal file
View file

@ -0,0 +1,11 @@
<?php
// Phase 15 — top-level script (no function entry), benign.
// Validates payload before invoking sink.
$payload = getenv('NYX_PAYLOAD') ?: '';
if (!preg_match('/^[A-Za-z0-9]{1,32}$/', $payload)) {
echo "invalid\n";
exit(0);
}
$out = shell_exec("echo hello");
echo $out;

6
tests/dynamic_fixtures/php/top_level_script/composer.json Normal file
View file

@ -0,0 +1,6 @@
{
"name": "nyx/top-level-script-fixture",
"require": {
"php": ">=8.0"
}
}

9
tests/dynamic_fixtures/php/top_level_script/vuln.php Normal file
View file

@ -0,0 +1,9 @@
<?php
// Phase 15 — top-level script (no function entry), vulnerable.
// Body reads NYX_PAYLOAD env var directly and pipes to /bin/sh -c.
echo "__NYX_SINK_HIT__\n";
$payload = getenv('NYX_PAYLOAD') ?: '';
$out = shell_exec("echo hello " . $payload);
echo $out;