[pitboss] phase 19: Track M.1 — ClassMethod end-to-end (all langs)

tests/dynamic_fixtures/class_method/python/benign.py

@@ -0,0 +1,20 @@
+"""Phase 19 (Track M.1) — class-method benign control for Python.
+
+Same surface as `vuln.py` but uses parameterised SQL so user input
+never concatenates into the query string.
+"""
+import sqlite3
+
+
+class UserRepository:
+    def __init__(self):
+        self._db = sqlite3.connect(":memory:")
+        self._db.executescript(
+            "CREATE TABLE users (id INTEGER, name TEXT); "
+            "INSERT INTO users VALUES (1, 'alice');"
+        )
+
+    def find_by_name(self, name):
+        cur = self._db.cursor()
+        cur.execute("SELECT id FROM users WHERE name = ?", (name,))
+        return cur.fetchall()

tests/dynamic_fixtures/class_method/python/vuln.py

@@ -0,0 +1,24 @@
+"""Phase 19 (Track M.1) — class-method vuln fixture for Python.
+
+`UserRepository.find_by_name` accepts user input and builds a raw SQL
+query, classic concatenation-driven SQL injection.  The class has a
+zero-arg constructor so the harness builds the receiver without
+needing a stubbed dependency.
+"""
+import sqlite3
+
+
+class UserRepository:
+    def __init__(self):
+        self._db = sqlite3.connect(":memory:")
+        self._db.executescript(
+            "CREATE TABLE users (id INTEGER, name TEXT); "
+            "INSERT INTO users VALUES (1, 'alice');"
+        )
+
+    def find_by_name(self, name):
+        cur = self._db.cursor()
+        # SINK: user input concatenated into the query
+        sql = "SELECT id FROM users WHERE name = '" + name + "'"
+        cur.execute(sql)
+        return cur.fetchall()