[pitboss] phase 19: Track M.1 — ClassMethod end-to-end (all langs)

tests/dynamic_fixtures/class_method/c/benign.c

@@ -0,0 +1,16 @@
+/* Phase 19 (Track M.1) — class-method benign control for C. */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+void UserService_run(const char *input, size_t len) {
+    (void)len;
+    /* Uses execve via fork; the shell never sees `input`. */
+    pid_t pid = fork();
+    if (pid == 0) {
+        char *argv[] = { (char*)"/bin/echo", (char*)(input ? input : ""), NULL };
+        execv("/bin/echo", argv);
+        _exit(127);
+    }
+}

tests/dynamic_fixtures/class_method/c/vuln.c

@@ -0,0 +1,16 @@
+/* Phase 19 (Track M.1) — class-method vuln fixture for C.
+ *
+ * C has no class system; the harness calls a free function whose name
+ * follows the `<Class>_<method>` convention (`UserService_run`). The
+ * function piping `input` straight into `system(3)` is the SINK. */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+void UserService_run(const char *input, size_t len) {
+    (void)len;
+    char buf[512];
+    snprintf(buf, sizeof(buf), "echo %s", input ? input : "");
+    /* SINK: tainted input → system(3) */
+    system(buf);
+}

tests/dynamic_fixtures/class_method/cpp/benign.cpp

@@ -0,0 +1,19 @@
+// Phase 19 (Track M.1) — class-method benign control for C++.
+#include <unistd.h>
+#include <sys/wait.h>
+#include <string>
+
+class UserService {
+public:
+    UserService() = default;
+    void run(const std::string& input) {
+        pid_t pid = fork();
+        if (pid == 0) {
+            const char* argv[] = { "/bin/echo", input.c_str(), nullptr };
+            execv("/bin/echo", const_cast<char* const*>(argv));
+            _exit(127);
+        }
+        int status = 0;
+        waitpid(pid, &status, 0);
+    }
+};

tests/dynamic_fixtures/class_method/cpp/vuln.cpp

@@ -0,0 +1,17 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for C++.
+//
+// UserService::run pipes user input into `system(3)`.  Default
+// constructor exists; the harness can build the receiver with
+// `UserService instance;`.
+#include <cstdlib>
+#include <string>
+
+class UserService {
+public:
+    UserService() = default;
+    void run(const std::string& input) {
+        std::string cmd = std::string("echo ") + input;
+        // SINK: tainted input → system(3)
+        std::system(cmd.c_str());
+    }
+};

tests/dynamic_fixtures/class_method/go/benign.go

@@ -0,0 +1,15 @@
+// Phase 19 (Track M.1) — class-method benign control for Go.
+package entry
+
+import "os/exec"
+
+type UserService struct{}
+
+func (UserService) Run(input string) string {
+	out, _ := exec.Command("/bin/echo", input).Output()
+	return string(out)
+}
+
+var NyxReceivers = map[string]interface{}{
+	"UserService": UserService{},
+}

tests/dynamic_fixtures/class_method/go/vuln.go

@@ -0,0 +1,21 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for Go.
+//
+// UserService.Run accepts user input and passes it to `sh -c` so the
+// shell interprets it.  The fixture publishes its instance through the
+// well-known `NyxReceivers` registry the harness uses to construct
+// receivers reflectively.
+package entry
+
+import "os/exec"
+
+type UserService struct{}
+
+func (UserService) Run(input string) string {
+	// SINK: tainted input → shell -c
+	out, _ := exec.Command("sh", "-c", "echo "+input).Output()
+	return string(out)
+}
+
+var NyxReceivers = map[string]interface{}{
+	"UserService": UserService{},
+}

tests/dynamic_fixtures/class_method/java/Benign.java

@@ -0,0 +1,20 @@
+// Phase 19 (Track M.1) — class-method benign control for Java.
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.PreparedStatement;
+import java.sql.SQLException;
+
+public class Benign {
+    public static class UserRepository {
+        public UserRepository() {}
+
+        public void findByName(String name) throws SQLException {
+            Connection c = DriverManager.getConnection("jdbc:sqlite::memory:");
+            PreparedStatement ps = c.prepareStatement("SELECT id FROM users WHERE name = ?");
+            ps.setString(1, name);
+            ps.execute();
+            ps.close();
+            c.close();
+        }
+    }
+}

tests/dynamic_fixtures/class_method/java/Vuln.java

@@ -0,0 +1,25 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for Java.
+//
+// UserRepository.findByName concatenates user input into a JDBC SQL
+// statement.  Default constructor exists so the harness can build the
+// receiver without stubbing dependencies.
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.Statement;
+import java.sql.SQLException;
+
+public class Vuln {
+    public static class UserRepository {
+        public UserRepository() {}
+
+        public void findByName(String name) throws SQLException {
+            Connection c = DriverManager.getConnection("jdbc:sqlite::memory:");
+            Statement s = c.createStatement();
+            // SINK: tainted concat into SQL
+            String sql = "SELECT id FROM users WHERE name = '" + name + "'";
+            s.execute(sql);
+            s.close();
+            c.close();
+        }
+    }
+}

tests/dynamic_fixtures/class_method/javascript/benign.js

@@ -0,0 +1,15 @@
+// Phase 19 (Track M.1) — class-method benign control for JavaScript.
+//
+// UserService.run routes the input through execFileSync with argv form so
+// the shell never interprets the string.
+'use strict';
+const { execFileSync } = require('child_process');
+
+class UserService {
+    constructor() {}
+    run(input) {
+        return execFileSync('/bin/echo', [input]).toString();
+    }
+}
+
+module.exports = { UserService };

tests/dynamic_fixtures/class_method/javascript/vuln.js

@@ -0,0 +1,16 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for JavaScript.
+//
+// UserService.run forwards a tainted string straight into child_process.exec,
+// classic OS command injection.  Default ctor — no stubbed deps needed.
+'use strict';
+const { execSync } = require('child_process');
+
+class UserService {
+    constructor() {}
+    run(input) {
+        // SINK: untrusted input → shell
+        return execSync('echo ' + input).toString();
+    }
+}
+
+module.exports = { UserService };

tests/dynamic_fixtures/class_method/php/benign.php

@@ -0,0 +1,10 @@
+<?php
+// Phase 19 (Track M.1) — class-method benign control for PHP.
+
+class UserService {
+    public function __construct() {}
+
+    public function run($input) {
+        return shell_exec('echo ' . escapeshellarg($input));
+    }
+}

tests/dynamic_fixtures/class_method/php/vuln.php

@@ -0,0 +1,14 @@
+<?php
+// Phase 19 (Track M.1) — class-method vuln fixture for PHP.
+//
+// UserService::run concatenates user input into a shell command;
+// default ctor, no stubbed deps needed.
+
+class UserService {
+    public function __construct() {}
+
+    public function run($input) {
+        // SINK: tainted input → shell.
+        return shell_exec('echo ' . $input);
+    }
+}

tests/dynamic_fixtures/class_method/python/benign.py

@@ -0,0 +1,20 @@
+"""Phase 19 (Track M.1) — class-method benign control for Python.
+
+Same surface as `vuln.py` but uses parameterised SQL so user input
+never concatenates into the query string.
+"""
+import sqlite3
+
+
+class UserRepository:
+    def __init__(self):
+        self._db = sqlite3.connect(":memory:")
+        self._db.executescript(
+            "CREATE TABLE users (id INTEGER, name TEXT); "
+            "INSERT INTO users VALUES (1, 'alice');"
+        )
+
+    def find_by_name(self, name):
+        cur = self._db.cursor()
+        cur.execute("SELECT id FROM users WHERE name = ?", (name,))
+        return cur.fetchall()

tests/dynamic_fixtures/class_method/python/vuln.py

@@ -0,0 +1,24 @@
+"""Phase 19 (Track M.1) — class-method vuln fixture for Python.
+
+`UserRepository.find_by_name` accepts user input and builds a raw SQL
+query, classic concatenation-driven SQL injection.  The class has a
+zero-arg constructor so the harness builds the receiver without
+needing a stubbed dependency.
+"""
+import sqlite3
+
+
+class UserRepository:
+    def __init__(self):
+        self._db = sqlite3.connect(":memory:")
+        self._db.executescript(
+            "CREATE TABLE users (id INTEGER, name TEXT); "
+            "INSERT INTO users VALUES (1, 'alice');"
+        )
+
+    def find_by_name(self, name):
+        cur = self._db.cursor()
+        # SINK: user input concatenated into the query
+        sql = "SELECT id FROM users WHERE name = '" + name + "'"
+        cur.execute(sql)
+        return cur.fetchall()

tests/dynamic_fixtures/class_method/python_with_deps/vuln.py

@@ -0,0 +1,29 @@
+"""Phase 19 (Track M.1) — class-method vuln with constructor deps.
+
+`UserController.__init__` takes an HTTP client + a database connection
+(controller → service → repository shape).  The Phase 19 harness's
+`_nyx_build_receiver` walks the ctor formals, stubs each with the
+matching `Mock*` test double from `src/dynamic/stubs/mocks.rs`, and
+invokes the sink method.
+"""
+import sqlite3
+
+
+class UserController:
+    def __init__(self, http_client, db_connection):
+        # Phase 19 harness wires MockHttpClient + MockDatabaseConnection
+        # through these two formals so the ctor returns without I/O.
+        self._http = http_client
+        self._db = db_connection or sqlite3.connect(":memory:")
+
+    def search(self, query):
+        cur = self._db.cursor() if hasattr(self._db, "cursor") else None
+        if cur is None:
+            return None
+        # SINK: concatenated SQL
+        sql = "SELECT 1 FROM dual WHERE x = '" + query + "'"
+        try:
+            cur.execute(sql)
+        except Exception:
+            pass
+        return None

tests/dynamic_fixtures/class_method/ruby/benign.rb

@@ -0,0 +1,11 @@
+# Phase 19 (Track M.1) — class-method benign control for Ruby.
+require 'shellwords'
+
+class UserService
+  def initialize
+  end
+
+  def run(input)
+    `echo #{Shellwords.escape(input)}`
+  end
+end

tests/dynamic_fixtures/class_method/ruby/vuln.rb

@@ -0,0 +1,13 @@
+# Phase 19 (Track M.1) — class-method vuln fixture for Ruby.
+#
+# UserService#run pipes user input into a shell, classic OS command
+# injection.  Default `.new` ctor — no mock deps needed.
+class UserService
+  def initialize
+  end
+
+  def run(input)
+    # SINK: tainted input → shell
+    `echo #{input}`
+  end
+end

tests/dynamic_fixtures/class_method/rust/benign.rs

@@ -0,0 +1,14 @@
+// Phase 19 (Track M.1) — class-method benign control for Rust.
+
+#[derive(Default)]
+pub struct UserService;
+
+impl UserService {
+    pub fn run(&self, input: &str) -> String {
+        let out = std::process::Command::new("/bin/echo")
+            .arg(input)
+            .output()
+            .expect("exec");
+        String::from_utf8_lossy(&out.stdout).into_owned()
+    }
+}

tests/dynamic_fixtures/class_method/rust/vuln.rs

@@ -0,0 +1,21 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for Rust.
+//
+// `UserService::run` shells out with a concatenated `sh -c <input>`,
+// classic OS command injection.  Derives Default so the harness can
+// build the receiver without manual stubbing.
+
+#[derive(Default)]
+pub struct UserService;
+
+impl UserService {
+    pub fn run(&self, input: &str) -> String {
+        // SINK: tainted input → shell -c
+        let cmd = format!("echo {}", input);
+        let out = std::process::Command::new("sh")
+            .arg("-c")
+            .arg(&cmd)
+            .output()
+            .expect("exec");
+        String::from_utf8_lossy(&out.stdout).into_owned()
+    }
+}

tests/dynamic_fixtures/class_method/typescript/benign.ts

@@ -0,0 +1,9 @@
+// Phase 19 (Track M.1) — class-method benign control for TypeScript.
+import { execFileSync } from 'child_process';
+
+export class UserService {
+    constructor() {}
+    run(input: string): string {
+        return execFileSync('/bin/echo', [input]).toString();
+    }
+}

tests/dynamic_fixtures/class_method/typescript/vuln.ts

@@ -0,0 +1,12 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for TypeScript.
+//
+// UserService.run forwards user input directly to a shell.  Default ctor.
+import { execSync } from 'child_process';
+
+export class UserService {
+    constructor() {}
+    run(input: string): string {
+        // SINK: untrusted input flows into the shell
+        return execSync('echo ' + input).toString();
+    }
+}