[pitboss] phase 15: Track L.13 — Rails / Sinatra / Hanami adapters

This commit is contained in:
pitboss 2026-05-18 14:37:05 -05:00
parent 3d3fdc21b7
commit b7973657cf
11 changed files with 1592 additions and 9 deletions

View file

@ -0,0 +1,8 @@
source 'https://rubygems.org'
# Phase 15 fixture — Hanami Action shape. The adapter only inspects
# the class superclass / include list; the harness never actually
# boots `Hanami::Application`, so the gem is informational for
# cargo-side fixture pickup.
gem 'hanami'
gem 'hanami-controller'

View file

@ -0,0 +1,19 @@
# Phase 15 — Hanami Action.call, benign.
# Validates payload before running the fixed echo.
# nyx-shape: hanami
# nyx-route: GET /run
require 'hanami/action'
class RunAction < Hanami::Action
def call(req)
payload = req && req.is_a?(Hash) ? (req['nyx.payload'] || '') : (ENV['NYX_PAYLOAD'] || '')
unless payload =~ /\A[A-Za-z0-9]{1,32}\z/
STDOUT.print("invalid\n")
return "invalid"
end
out = `echo hello`
STDOUT.print(out)
out
end
end

View file

@ -0,0 +1,17 @@
# Phase 15 — Hanami Action.call, vulnerable.
# Class includes Hanami::Action and exposes a `call` method that pipes
# the request body into /bin/sh.
# nyx-shape: hanami
# nyx-route: GET /run
require 'hanami/action'
class RunAction < Hanami::Action
def call(req)
STDOUT.print("__NYX_SINK_HIT__\n")
payload = req && req.is_a?(Hash) ? (req['nyx.payload'] || '') : (ENV['NYX_PAYLOAD'] || '')
out = `echo hello #{payload}`
STDOUT.print(out)
out
end
end