[pitboss] phase 10: Track J.8 + Track L.8 — PROTOTYPE_POLLUTION corpus + JS/TS prototype chain hook

tests/dynamic_fixtures/prototype_pollution/javascript/benign.js

@@ -0,0 +1,22 @@
+// Phase 10 (Track J.8) — JavaScript PROTOTYPE_POLLUTION benign
+// control fixture.
+//
+// The handler parses an attacker-controlled JSON string and walks
+// it into a target constructed via `Object.create(null)`.  Because
+// the target has no prototype chain, even a payload whose top-level
+// key is `__proto__` cannot reach `Object.prototype`.  The harness's
+// canary trap stays clear and no `PrototypePollution` probe is
+// emitted.
+const _ = require('lodash');
+
+function deepMerge(target, source) {
+  return _.merge(target, source);
+}
+
+function run(payload) {
+  const parsed = JSON.parse(payload);
+  const target = Object.create(null);
+  return deepMerge(target, parsed);
+}
+
+module.exports = { run };

tests/dynamic_fixtures/prototype_pollution/javascript/vuln.js

@@ -0,0 +1,20 @@
+// Phase 10 (Track J.8) — JavaScript PROTOTYPE_POLLUTION vuln fixture.
+//
+// The handler parses an attacker-controlled JSON string and passes
+// the parsed object into `lodash.merge` against a vanilla `{}`
+// target.  When the payload's top-level key is `__proto__`, the
+// merge walks the key into `Object.prototype` and the harness's
+// canary trap records a `ProbeKind::PrototypePollution` probe.
+const _ = require('lodash');
+
+function deepMerge(target, source) {
+  return _.merge(target, source);
+}
+
+function run(payload) {
+  const parsed = JSON.parse(payload);
+  const target = {};
+  return deepMerge(target, parsed);
+}
+
+module.exports = { run };

tests/dynamic_fixtures/prototype_pollution/typescript/benign.ts

@@ -0,0 +1,17 @@
+// Phase 10 (Track J.8) — TypeScript PROTOTYPE_POLLUTION benign
+// control fixture.
+//
+// Uses `Object.create(null)` as the merge target so even a payload
+// whose top-level key is `__proto__` cannot reach
+// `Object.prototype`.
+import * as _ from 'lodash';
+
+export function deepMerge(target: any, source: any): any {
+  return (_ as any).merge(target, source);
+}
+
+export function run(payload: string): any {
+  const parsed = JSON.parse(payload);
+  const target: any = Object.create(null);
+  return deepMerge(target, parsed);
+}

tests/dynamic_fixtures/prototype_pollution/typescript/vuln.ts

@@ -0,0 +1,16 @@
+// Phase 10 (Track J.8) — TypeScript PROTOTYPE_POLLUTION vuln fixture.
+//
+// Same shape as the JS sibling: parse the attacker-controlled JSON
+// string, deep-merge it into a vanilla `{}` target, get prototype
+// pollution when the payload carries a `__proto__` key.
+import * as _ from 'lodash';
+
+export function deepMerge(target: any, source: any): any {
+  return (_ as any).merge(target, source);
+}
+
+export function run(payload: string): any {
+  const parsed = JSON.parse(payload);
+  const target: any = {};
+  return deepMerge(target, parsed);
+}