apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss/grind] deferred session-0002 (20260521T201327Z-3848)

Browse source
This commit is contained in:
pitboss 2026-05-21 15:48:29 -05:00
parent 159a779f31
commit d99361cff6
18 changed files with 499 additions and 144 deletions
Download patch file Download diff file Expand all files Collapse all files

6
frontend/src/api/mutations/scans.ts
View file

@ -4,6 +4,8 @@ import type { ScanView } from '../types';
export type ScanMode = 'full' | 'ast' | 'cfg' | 'taint';
export type EngineProfile = 'fast' | 'balanced' | 'deep';
export type VerifyBackend = 'auto' | 'docker' | 'process' | 'firecracker';
export type HardenProfile = 'standard' | 'strict';
export interface StartScanBody {
scan_root?: string;
@ -18,6 +20,10 @@ export interface StartScanBody {
verify?: boolean;
/** Also verify Confidence < Medium findings. Default false. */
verify_all_confidence?: boolean;
/** Sandbox backend for dynamic verification. */
verify_backend?: VerifyBackend;
/** Process-backend hardening profile. */
harden_profile?: HardenProfile;
}
export function useStartScan() {

1
frontend/src/api/queries/findings.ts
View file

@ -11,6 +11,7 @@ export interface FindingsParams {
language?: string;
rule_id?: string;
status?: string;
verification?: string;
search?: string;
sort_by?: string;
sort_dir?: string;

4
frontend/src/api/types.ts
View file

@ -22,7 +22,7 @@ export interface VerifyResult {
/** Typed InconclusiveReason (PascalCase string) */
inconclusive_reason?: string;
detail?: string;
attempts: AttemptSummary[];
attempts?: AttemptSummary[];
toolchain_match?: string;
}
@ -134,6 +134,7 @@ export interface FindingView {
triage_note?: string;
code_context?: CodeContextView;
evidence?: Evidence;
dynamic_verdict?: VerifyResult;
guard_kind?: string;
rank_reason?: [string, string][];
sanitizer_status?: string;
@ -155,6 +156,7 @@ export interface FilterValues {
languages: string[];
rules: string[];
statuses: string[];
verification_statuses: string[];
}
// Scan types

4
frontend/src/components/VerdictBadge.tsx
View file

@ -16,8 +16,8 @@ function verdictTooltip(verdict: VerifyResult): string {
? `Confirmed via payload: ${triggered_payload}`
: 'Dynamically confirmed exploitable';
case 'NotConfirmed':
return verdict.attempts.length > 0
? `Not confirmed after ${verdict.attempts.length} payload attempt(s)`
return (verdict.attempts?.length ?? 0) > 0
? `Not confirmed after ${verdict.attempts?.length ?? 0} payload attempt(s)`
: 'Not confirmed';
case 'Unsupported':
return reason ? `Unsupported: ${reason}` : 'Dynamic verification not supported';

3
frontend/src/hooks/useFindingsURLState.ts
View file

@ -13,6 +13,7 @@ export interface FindingsURLState {
language: string;
rule_id: string;
status: string;
verification: string;
search: string;
}
@ -27,6 +28,7 @@ const FINDINGS_DEFAULTS: FindingsURLState = {
language: '',
rule_id: '',
status: '',
verification: '',
search: '',
};
@ -52,6 +54,7 @@ const FILTER_KEYS: ReadonlySet<string> = new Set([
'language',
'rule_id',
'status',
'verification',
'search',
]);

53
frontend/src/modals/NewScanModal.tsx
View file

@ -8,6 +8,8 @@ import {
useStartScan,
type ScanMode,
type EngineProfile,
type VerifyBackend,
type HardenProfile,
type StartScanBody,
} from '../api/mutations/scans';
@ -29,6 +31,18 @@ const PROFILE_HINTS: Record<EngineProfile, string> = {
deep: 'Adds symex (cross-file + interproc) and demand-driven backwards taint. About 2 to 3x slower.',
};
const BACKEND_HINTS: Record<VerifyBackend, string> = {
auto: 'Use Docker when it fits, otherwise fall back to process.',
docker: 'Require Docker-backed harness execution.',
process: 'Unsafe local process backend for quick test runs.',
firecracker: 'Use the Firecracker backend when available.',
};
const HARDEN_HINTS: Record<HardenProfile, string> = {
standard: 'Baseline process limits.',
strict: 'Stricter process confinement when supported.',
};
export function NewScanModal({ open, onClose }: NewScanModalProps) {
const { data: health } = useHealth();
const startScan = useStartScan();
@ -39,6 +53,8 @@ export function NewScanModal({ open, onClose }: NewScanModalProps) {
const [mode, setMode] = useState<ScanMode>('full');
const [engineProfile, setEngineProfile] = useState<EngineProfile>('balanced');
const [noVerify, setNoVerify] = useState(false);
const [verifyBackend, setVerifyBackend] = useState<VerifyBackend>('auto');
const [hardenProfile, setHardenProfile] = useState<HardenProfile>('standard');
const handleStart = async () => {
const root = scanRoot.trim();
@ -46,7 +62,12 @@ export function NewScanModal({ open, onClose }: NewScanModalProps) {
if (root && root !== defaultRoot) body.scan_root = root;
if (mode !== 'full') body.mode = mode;
body.engine_profile = engineProfile;
if (noVerify) body.verify = false;
if (noVerify) {
body.verify = false;
} else {
body.verify_backend = verifyBackend;
body.harden_profile = hardenProfile;
}
const payload = Object.keys(body).length ? body : undefined;
try {
await startScan.mutateAsync(payload);
@ -125,6 +146,36 @@ export function NewScanModal({ open, onClose }: NewScanModalProps) {
findings. Check to skip and get a fast static-only result.
</span>
</div>
<div className="form-group">
<label>Verification Backend</label>
<select
value={verifyBackend}
disabled={noVerify}
onChange={(e) =>
setVerifyBackend(e.target.value as VerifyBackend)
}
>
<option value="auto">Auto</option>
<option value="docker">Docker</option>
<option value="process">Process (unsafe)</option>
<option value="firecracker">Firecracker</option>
</select>
<span className="form-hint">{BACKEND_HINTS[verifyBackend]}</span>
</div>
<div className="form-group">
<label>Process Hardening</label>
<select
value={hardenProfile}
disabled={noVerify || verifyBackend !== 'process'}
onChange={(e) =>
setHardenProfile(e.target.value as HardenProfile)
}
>
<option value="standard">Standard</option>
<option value="strict">Strict</option>
</select>
<span className="form-hint">{HARDEN_HINTS[hardenProfile]}</span>
</div>
<div className="scan-modal-actions">
<button className="btn btn-sm" onClick={onClose}>
Cancel

22
frontend/src/pages/FindingDetailPage.tsx
View file

@ -707,16 +707,21 @@ function HowToFix({ finding }: { finding: FindingView }) {
export function DynamicVerdictSection({ verdict }: { verdict: VerifyResult }) {
const [copied, setCopied] = useState(false);
const attempts = verdict.attempts ?? [];
// The repro bundle is keyed by spec_hash (not finding_id) inside the Nyx
// cache. Rather than showing a path that may not match, surface the CLI
// command that locates and opens the bundle regardless of the hash.
const reproCmd = `nyx repro --finding ${verdict.finding_id}`;
const copyCmd = () => {
navigator.clipboard.writeText(reproCmd).then(() => {
setCopied(true);
setTimeout(() => setCopied(false), 2000);
});
if (!navigator.clipboard) return;
navigator.clipboard.writeText(reproCmd).then(
() => {
setCopied(true);
setTimeout(() => setCopied(false), 2000);
},
() => {},
);
};
return (
@ -767,11 +772,11 @@ export function DynamicVerdictSection({ verdict }: { verdict: VerifyResult }) {
</div>
)}
{verdict.attempts.length > 0 && (
{attempts.length > 0 && (
<div className="dynamic-attempts">
<strong>Payload attempts:</strong>
<ul className="dynamic-attempt-list">
{verdict.attempts.map((a, i) => (
{attempts.map((a, i) => (
<li key={i} className={`attempt-row ${a.triggered ? 'triggered' : ''}`}>
<code>{a.payload_label}</code>
<span className="attempt-outcome">
@ -953,6 +958,7 @@ export function FindingDetailPage() {
const f = finding;
const evidence = f.evidence;
const dynamicVerdict = evidence?.dynamic_verdict ?? f.dynamic_verdict;
const isState = isStateFinding(f);
const hasWhySection =
f.message ||
@ -1110,9 +1116,9 @@ export function FindingDetailPage() {
)}
{/* Dynamic Verification */}
{evidence?.dynamic_verdict && (
{dynamicVerdict && (
<CollapsibleSection title="Dynamic Verification">
<DynamicVerdictSection verdict={evidence.dynamic_verdict} />
<DynamicVerdictSection verdict={dynamicVerdict} />
</CollapsibleSection>
)}

20
frontend/src/pages/FindingsPage.tsx
View file

@ -29,6 +29,11 @@ function formatTriageState(state: string): string {
return (state || 'open').replace(/_/g, ' ');
}
function formatVerificationStatus(status: string): string {
if (status === 'NotConfirmed') return 'Not confirmed';
return status || 'Unverified';
}
// ── Filter Bar ──────────────────────────────────────────────────────────────
interface FilterSelectProps {
@ -37,6 +42,7 @@ interface FilterSelectProps {
values: string[] | undefined;
current: string;
onChange: (value: string) => void;
formatValue?: (value: string) => string;
}
function FilterSelect({
@ -45,6 +51,7 @@ function FilterSelect({
values,
current,
onChange,
formatValue,
}: FilterSelectProps) {
if (!values || values.length === 0) return null;
return (
@ -52,7 +59,7 @@ function FilterSelect({
<option value="">All {label}</option>
{values.map((v) => (
<option key={v} value={v}>
{v}
{formatValue ? formatValue(v) : v}
</option>
))}
</select>
@ -322,6 +329,7 @@ export function FindingsPage() {
language: state.language || undefined,
rule_id: state.rule_id || undefined,
status: state.status || undefined,
verification: state.verification || undefined,
search: state.search || undefined,
}),
[state],
@ -621,6 +629,14 @@ export function FindingsPage() {
current={state.status}
onChange={(v) => handleFilterChange('status', v)}
/>
<FilterSelect
id="filter-verification"
label="Verification"
values={filters?.verification_statuses}
current={state.verification}
onChange={(v) => handleFilterChange('verification', v)}
formatValue={formatVerificationStatus}
/>
{hasActiveFilters && (
<button className="btn btn-sm btn-clear" onClick={resetFilters}>
Clear All
@ -764,7 +780,7 @@ export function FindingsPage() {
</td>
<td>
<VerdictBadge
verdict={f.evidence?.dynamic_verdict}
verdict={f.dynamic_verdict ?? f.evidence?.dynamic_verdict}
compact
/>
</td>

19
frontend/src/test/modals/NewScanModal.test.tsx
View file

@ -52,7 +52,11 @@ describe('NewScanModal', () => {
await waitFor(() => expect(mockMutateAsync).toHaveBeenCalledOnce());
const payload = mockMutateAsync.mock.calls[0][0];
expect(payload).not.toHaveProperty('verify');
expect(payload).toEqual({ engine_profile: 'balanced' });
expect(payload).toEqual({
engine_profile: 'balanced',
verify_backend: 'auto',
harden_profile: 'standard',
});
});
it('calls mutateAsync with verify: false when checkbox is checked', async () => {
@ -63,4 +67,17 @@ describe('NewScanModal', () => {
const payload = mockMutateAsync.mock.calls[0][0];
expect(payload).toEqual({ engine_profile: 'balanced', verify: false });
});
it('allows selecting the unsafe process verification backend', async () => {
render(<NewScanModal open={true} onClose={vi.fn()} />);
const selects = screen.getAllByRole('combobox');
fireEvent.change(selects[2], { target: { value: 'process' } });
fireEvent.click(screen.getByRole('button', { name: 'Start scan' }));
await waitFor(() => expect(mockMutateAsync).toHaveBeenCalledOnce());
const payload = mockMutateAsync.mock.calls[0][0];
expect(payload).toMatchObject({
verify_backend: 'process',
harden_profile: 'standard',
});
});
});

49
src/dynamic/framework/adapters/middleware_django.rs
View file

@ -3,6 +3,10 @@
//! Fires when the surrounding source imports Django middleware base
//! classes (`MiddlewareMixin`) or declares a callable middleware whose
//! body defines `__call__(self, request)` / `process_request`.
//!
//! Notably does NOT fire just because the file contains `MIDDLEWARE = [`
//! (typical of `settings.py`) — that needle stole every settings module
//! into Middleware bindings (Phase 21 binding-stealing audit).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -17,24 +21,42 @@ fn callee_is_django_middleware(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(
last,
"process_request" | "process_response" | "process_view" | "process_exception" | "__call__"
"process_request" | "process_response" | "process_view" | "process_exception"
)
}
fn source_imports_django_middleware(file_bytes: &[u8]) -> bool {
fn source_has_middleware_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"django.utils.deprecation",
b"MiddlewareMixin",
b"def __call__(self, request",
b"def process_request",
b"django.middleware",
b"MIDDLEWARE = [",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn looks_like_settings_module(file_bytes: &[u8]) -> bool {
// Heuristic: settings.py declares MIDDLEWARE / INSTALLED_APPS / DATABASES at
// module scope. A real middleware module declares none of these (it carries
// a class with __call__ / process_*).
let has_middleware_list = file_bytes
.windows(b"MIDDLEWARE = [".len())
.any(|w| w == b"MIDDLEWARE = [");
let has_installed_apps = file_bytes
.windows(b"INSTALLED_APPS".len())
.any(|w| w == b"INSTALLED_APPS");
let declares_middleware_class = file_bytes
.windows(b"def __call__".len())
.any(|w| w == b"def __call__")
|| file_bytes
.windows(b"def process_request".len())
.any(|w| w == b"def process_request");
(has_middleware_list || has_installed_apps) && !declares_middleware_class
}
impl FrameworkAdapter for MiddlewareDjangoAdapter {
fn name(&self) -> &'static str {
ADAPTER_NAME
@ -50,8 +72,11 @@ impl FrameworkAdapter for MiddlewareDjangoAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
if looks_like_settings_module(file_bytes) {
return None;
}
let matches_call = super::any_callee_matches(summary, callee_is_django_middleware);
let matches_source = source_imports_django_middleware(file_bytes);
let matches_source = source_has_middleware_shape(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
@ -95,4 +120,20 @@ mod tests {
assert_eq!(binding.adapter, "middleware-django");
assert!(matches!(binding.kind, EntryKind::Middleware { .. }));
}
#[test]
fn does_not_bind_settings_module() {
let src: &[u8] = b"INSTALLED_APPS = ['django.contrib.auth']\nMIDDLEWARE = [\n 'django.middleware.security.SecurityMiddleware',\n]\nDATABASES = {}\n";
let tree = parse_python(src);
let summary = FuncSummary {
name: "some_helper".into(),
..Default::default()
};
assert!(
MiddlewareDjangoAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"settings.py-shaped module must not bind as middleware",
);
}
}

100
src/dynamic/framework/adapters/middleware_express.rs
View file

@ -1,8 +1,12 @@
//! Phase 21 (Track M.3) — Express middleware adapter (JS).
//!
//! Fires when the surrounding source imports Express and declares a
//! middleware function — a `(req, res, next) => …` callable mounted
//! via `app.use(...)` / `router.use(...)`.
//! Fires when the surrounding source imports Express and the function
//! under analysis is mounted via `app.use(<this_fn>)` /
//! `router.use(<this_fn>)`. An anonymous-mount or callee-only signal
//! (`app.use(...)` with a non-matching function name) is no longer
//! enough on its own — that needle stole every Express setup file into
//! Middleware bindings regardless of which function the analyser was
//! looking at (Phase 21 binding-stealing audit).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -13,21 +17,36 @@ pub struct MiddlewareExpressAdapter;
const ADAPTER_NAME: &str = "middleware-express";
fn callee_is_express(name: &str) -> bool {
fn callee_is_express_mount(name: &str) -> bool {
// `use` on Express's app/router registers middleware. Other Express
// helpers like `json`/`urlencoded`/`static` are body-parser
// factories that pair WITH `use` rather than identifying the
// function itself as middleware, so they no longer count.
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(last, "use" | "next" | "json" | "urlencoded" | "static")
last == "use"
}
fn source_imports_express(file_bytes: &[u8]) -> bool {
// Phase 21 v1: require an explicit middleware-registration shape
// (`app.use(` / `router.use(`), not the bare `require('express')`
// import. Many non-middleware Express fixtures import the framework
// but never declare middleware; gating on the registration shape
// keeps the adapter focused on the function the brief targets.
const NEEDLES: &[&[u8]] = &[b"app.use(", b"router.use(", b"express.Router()"];
NEEDLES
fn function_is_mounted_as_middleware(file_bytes: &[u8], name: &str) -> bool {
if name.is_empty() {
return false;
}
let needles: [Vec<u8>; 2] = [
format!("app.use({name})").into_bytes(),
format!("router.use({name})").into_bytes(),
];
needles
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
.any(|n| file_bytes.windows(n.len()).any(|w| w == n.as_slice()))
}
fn function_has_middleware_signature(summary: &FuncSummary) -> bool {
// Express middleware contract: (req, res, next). Adapters cannot
// rely on a generic mount-everything heuristic so the param shape
// becomes the secondary signal when no explicit `app.use(<name>)`
// line is present.
let names: Vec<&str> = summary.param_names.iter().map(|s| s.as_str()).collect();
matches!(names.as_slice(), ["req", "res", "next"])
|| matches!(names.as_slice(), ["request", "response", "next"])
}
impl FrameworkAdapter for MiddlewareExpressAdapter {
@ -45,22 +64,23 @@ impl FrameworkAdapter for MiddlewareExpressAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_express);
let matches_source = source_imports_express(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Middleware {
name: summary.name.clone(),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
let mounted_by_name = function_is_mounted_as_middleware(file_bytes, &summary.name);
let has_mw_signature = function_has_middleware_signature(summary);
let body_mounts = super::any_callee_matches(summary, callee_is_express_mount);
let binds = mounted_by_name || has_mw_signature || body_mounts;
if !binds {
return None;
}
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Middleware {
name: summary.name.clone(),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}
@ -94,4 +114,26 @@ mod tests {
assert_eq!(name, "audit");
}
}
#[test]
fn does_not_bind_unrelated_helper_in_express_setup() {
// File mounts middleware `audit` but the analyser is asking
// about an unrelated helper `loadConfig` in the same file.
let src: &[u8] = b"const express = require('express');\n\
const app = express();\n\
function audit(req, res, next) { next(); }\n\
function loadConfig() { return { port: 3000 }; }\n\
app.use(audit);\n";
let tree = parse_js(src);
let summary = FuncSummary {
name: "loadConfig".into(),
..Default::default()
};
assert!(
MiddlewareExpressAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"unrelated helper in an Express setup file must not bind as middleware",
);
}
}

65
src/dynamic/framework/adapters/middleware_laravel.rs
View file

@ -3,6 +3,12 @@
//! Fires when the surrounding source declares a class with a `handle`
//! method whose signature matches Laravel's middleware contract
//! (`$request, Closure $next`).
//!
//! Notably does NOT fire just because the file imports
//! `Illuminate\Http\Request` or mentions `$middleware` — every typical
//! Laravel controller imports the request facade, and `$middleware`
//! appears in routes / kernel files unrelated to middleware classes
//! (Phase 21 binding-stealing audit).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -15,23 +21,26 @@ const ADAPTER_NAME: &str = "middleware-laravel";
fn callee_is_laravel_middleware(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(last, "handle" | "terminate" | "next" | "withMiddleware")
matches!(last, "terminate" | "withMiddleware")
}
fn source_imports_laravel_middleware(file_bytes: &[u8]) -> bool {
fn source_has_middleware_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"Illuminate\\Http\\Request",
b"Illuminate\\Foundation\\Http\\Middleware",
b"function handle($request, Closure $next",
b"function handle(Request $request, Closure $next",
b"function handle($request, $next",
b"app/Http/Middleware",
b"$middleware",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn name_is_middleware_entry(name: &str) -> bool {
matches!(name, "handle" | "terminate")
}
impl FrameworkAdapter for MiddlewareLaravelAdapter {
fn name(&self) -> &'static str {
ADAPTER_NAME
@ -47,22 +56,24 @@ impl FrameworkAdapter for MiddlewareLaravelAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_laravel_middleware);
let matches_source = source_imports_laravel_middleware(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Middleware {
name: summary.name.clone(),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
let has_shape = source_has_middleware_shape(file_bytes);
let name_matches = name_is_middleware_entry(&summary.name);
let body_mounts_middleware =
super::any_callee_matches(summary, callee_is_laravel_middleware);
let binds = (name_matches && has_shape) || body_mounts_middleware;
if !binds {
return None;
}
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Middleware {
name: summary.name.clone(),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}
@ -91,4 +102,20 @@ mod tests {
assert_eq!(binding.adapter, "middleware-laravel");
assert!(matches!(binding.kind, EntryKind::Middleware { .. }));
}
#[test]
fn does_not_bind_laravel_controller_method() {
let src: &[u8] = b"<?php\nuse Illuminate\\Http\\Request;\nclass UserController {\n public function show(Request $request) { return $request->all(); }\n}\n";
let tree = parse_php(src);
let summary = FuncSummary {
name: "show".into(),
..Default::default()
};
assert!(
MiddlewareLaravelAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"controller method must not bind as middleware just because the file imports Request",
);
}
}

90
src/dynamic/framework/adapters/middleware_rails.rs
View file

@ -1,7 +1,15 @@
//! Phase 21 (Track M.3) — Rack / Rails middleware adapter (Ruby).
//!
//! Fires when the surrounding source defines a Rack-shaped middleware
//! (`def call(env)`) or registers a Rails before-action callback.
//! (`def call(env)`) or wires one into the Rails middleware stack.
//!
//! Notably does NOT fire for Rails controller actions even when the file
//! contains `before_action :name` / `after_action :name` callback
//! registrations — those are class-level controller DSL hooks, not Rack
//! middleware definitions. Older `before_action ` / `after_action ` /
//! `around_action ` source needles were dropped because every typical
//! Rails controller mentions them, which made the adapter bind every
//! controller action as middleware (Phase 21 binding-stealing audit).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -14,28 +22,39 @@ const ADAPTER_NAME: &str = "middleware-rails";
fn callee_is_rails_middleware(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(
last,
"call" | "before_action" | "around_action" | "after_action" | "use"
)
matches!(last, "call" | "use")
}
fn source_imports_rails_middleware(file_bytes: &[u8]) -> bool {
fn source_has_rack_middleware_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"def call(env)",
b"def call (env",
b"before_action ",
b"after_action ",
b"around_action ",
b"Rails.application.config.middleware",
b"Rack::Builder",
b"@app = app",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn looks_like_rails_controller(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"< ApplicationController",
b"<ApplicationController",
b"< ActionController::Base",
b"<ActionController::Base",
b"< ActionController::API",
b"<ActionController::API",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn name_is_rack_entry(name: &str) -> bool {
name == "call"
}
impl FrameworkAdapter for MiddlewareRailsAdapter {
fn name(&self) -> &'static str {
ADAPTER_NAME
@ -51,22 +70,27 @@ impl FrameworkAdapter for MiddlewareRailsAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_rails_middleware);
let matches_source = source_imports_rails_middleware(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Middleware {
name: summary.name.clone(),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
if looks_like_rails_controller(file_bytes) {
return None;
}
let has_middleware_shape = source_has_rack_middleware_shape(file_bytes);
let name_matches = name_is_rack_entry(&summary.name);
let body_mounts_middleware =
super::any_callee_matches(summary, callee_is_rails_middleware);
let binds = (name_matches && has_middleware_shape) || body_mounts_middleware;
if !binds {
return None;
}
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Middleware {
name: summary.name.clone(),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}
@ -95,4 +119,20 @@ mod tests {
assert_eq!(binding.adapter, "middleware-rails");
assert!(matches!(binding.kind, EntryKind::Middleware { .. }));
}
#[test]
fn does_not_bind_rails_controller_action() {
let src: &[u8] = b"class UsersController < ApplicationController\n before_action :authenticate\n def index\n @users = User.all\n render :index\n end\nend\n";
let tree = parse_ruby(src);
let summary = FuncSummary {
name: "index".into(),
..Default::default()
};
assert!(
MiddlewareRailsAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"controller action must not bind as Rack middleware",
);
}
}

49
src/dynamic/framework/adapters/migration_laravel.rs
View file

@ -3,6 +3,12 @@
//! Fires when the surrounding source extends `Illuminate\\Database\\Migrations\\Migration`
//! and declares an `up()` / `down()` method whose body invokes
//! `Schema::create` / `Schema::table` / `DB::statement`.
//!
//! Notably does NOT fire just because the file mentions `DB::statement`
//! or the bare `Illuminate\\Database\\Schema` namespace — those tokens
//! appear in plenty of model helpers, query objects, and database
//! drivers that are not themselves migration classes (Phase 21
//! binding-stealing audit).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -13,28 +19,26 @@ pub struct MigrationLaravelAdapter;
const ADAPTER_NAME: &str = "migration-laravel";
fn callee_is_laravel_migration(name: &str) -> bool {
fn callee_is_laravel_migration_ddl(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(
last,
"up" | "down" | "create" | "table" | "drop" | "statement" | "unprepared"
)
matches!(last, "create" | "table" | "drop" | "statement" | "unprepared")
}
fn source_imports_laravel_migration(file_bytes: &[u8]) -> bool {
fn source_has_migration_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"Illuminate\\Database\\Migrations\\Migration",
b"Illuminate\\Database\\Schema",
b"Schema::create",
b"Schema::table",
b"DB::statement",
b"use Illuminate\\Database\\Schema",
];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn name_is_migration_entry(name: &str) -> bool {
matches!(name, "up" | "down")
}
impl FrameworkAdapter for MigrationLaravelAdapter {
fn name(&self) -> &'static str {
ADAPTER_NAME
@ -50,20 +54,21 @@ impl FrameworkAdapter for MigrationLaravelAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_laravel_migration);
let matches_source = source_imports_laravel_migration(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Migration { version: None },
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
let has_shape = source_has_migration_shape(file_bytes);
let name_matches = name_is_migration_entry(&summary.name);
let body_runs_ddl = super::any_callee_matches(summary, callee_is_laravel_migration_ddl);
let binds = (name_matches || body_runs_ddl) && has_shape;
if !binds {
return None;
}
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Migration { version: None },
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}

74
src/dynamic/framework/adapters/migration_rails.rs
View file

@ -1,8 +1,13 @@
//! Phase 21 (Track M.3) — Rails ActiveRecord migration adapter (Ruby).
//!
//! Fires when the surrounding source declares a class inheriting from
//! `ActiveRecord::Migration[...]` or invokes the canonical migration
//! DSL (`create_table`, `add_column`, `execute`).
//! `ActiveRecord::Migration[...]` or carries the canonical migration
//! marker the fixture uses (`# class Foo < ActiveRecord::Migration[…]`).
//!
//! Notably does NOT fire just because the file mentions `create_table` /
//! `add_column` / `drop_table` — those tokens also appear in
//! `db/schema.rb` snapshots, helper modules, and SQL ddl bodies that are
//! not themselves migration classes (Phase 21 binding-stealing audit).
use crate::dynamic::framework::{FrameworkAdapter, FrameworkBinding};
use crate::evidence::EntryKind;
@ -17,9 +22,7 @@ fn callee_is_rails_migration(name: &str) -> bool {
let last = name.rsplit_once('.').map(|(_, s)| s).unwrap_or(name);
matches!(
last,
"up" | "down"
| "change"
| "create_table"
"create_table"
| "add_column"
| "remove_column"
| "drop_table"
@ -28,19 +31,17 @@ fn callee_is_rails_migration(name: &str) -> bool {
)
}
fn source_imports_rails_migration(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[
b"ActiveRecord::Migration",
b"< ActiveRecord::Migration",
b"create_table ",
b"add_column ",
b"drop_table ",
];
fn source_has_migration_shape(file_bytes: &[u8]) -> bool {
const NEEDLES: &[&[u8]] = &[b"ActiveRecord::Migration", b"< ActiveRecord::Migration"];
NEEDLES
.iter()
.any(|n| file_bytes.windows(n.len()).any(|w| w == *n))
}
fn name_is_migration_entry(name: &str) -> bool {
matches!(name, "up" | "down" | "change")
}
fn extract_version(file_bytes: &[u8]) -> Option<String> {
let text = std::str::from_utf8(file_bytes).unwrap_or("");
let needle = "ActiveRecord::Migration[";
@ -68,22 +69,23 @@ impl FrameworkAdapter for MigrationRailsAdapter {
_ast: tree_sitter::Node<'_>,
file_bytes: &[u8],
) -> Option<FrameworkBinding> {
let matches_call = super::any_callee_matches(summary, callee_is_rails_migration);
let matches_source = source_imports_rails_migration(file_bytes);
if matches_call || matches_source {
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Migration {
version: extract_version(file_bytes),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
} else {
None
let has_shape = source_has_migration_shape(file_bytes);
let name_matches = name_is_migration_entry(&summary.name);
let body_runs_ddl = super::any_callee_matches(summary, callee_is_rails_migration);
let binds = (name_matches || body_runs_ddl) && has_shape;
if !binds {
return None;
}
Some(FrameworkBinding {
adapter: ADAPTER_NAME.to_owned(),
kind: EntryKind::Migration {
version: extract_version(file_bytes),
},
route: None,
request_params: Vec::new(),
response_writer: None,
middleware: Vec::new(),
})
}
}
@ -114,4 +116,20 @@ mod tests {
assert_eq!(version.as_deref(), Some("7.0"));
}
}
#[test]
fn does_not_bind_schema_dump() {
let src: &[u8] = b"ActiveRecord::Schema.define(version: 2024_01_01_000000) do\n create_table :users do |t|\n t.string :name\n end\nend\n";
let tree = parse_ruby(src);
let summary = FuncSummary {
name: "define".into(),
..Default::default()
};
assert!(
MigrationRailsAdapter
.detect(&summary, tree.root_node(), src)
.is_none(),
"db/schema.rb dump must not bind as migration",
);
}
}

28
src/output/json.rs
View file

@ -82,6 +82,7 @@ mod tests {
use crate::chain::finding::{ChainFinding, ChainSeverity, ChainSink};
use crate::chain::impact::ImpactCategory;
use crate::commands::scan::Diag;
use crate::evidence::{Evidence, VerifyResult, VerifyStatus};
use crate::patterns::{FindingCategory, Severity};
use crate::surface::SourceLocation;
@ -157,4 +158,31 @@ mod tests {
let v = build_findings_json(&[], &[], Some(&json!({"new": []})));
assert!(v.get("verdict_diff").is_some());
}
#[test]
fn dynamic_verification_summary_is_included() {
let mut d = diag(7);
d.evidence = Some(Evidence {
dynamic_verdict: Some(VerifyResult {
finding_id: "abc123".into(),
status: VerifyStatus::Confirmed,
triggered_payload: None,
reason: None,
inconclusive_reason: None,
detail: None,
attempts: vec![],
toolchain_match: None,
differential: None,
replay_stable: None,
wrong: None,
hardening_outcome: None,
}),
..Evidence::default()
});
let v = build_findings_json(&[d], &[], None);
assert_eq!(v["dynamic_verification"]["total"], json!(1));
assert_eq!(v["dynamic_verification"]["confirmed"], json!(1));
}
}

42
src/server/models.rs
View file

@ -1,5 +1,5 @@
use crate::commands::scan::Diag;
use crate::evidence::{Confidence, Evidence};
use crate::evidence::{Confidence, Evidence, VerifyResult, VerifyStatus};
use crate::patterns::{FindingCategory, Severity};
use crate::utils::path::{DEFAULT_UI_MAX_FILE_BYTES, open_repo_text_file};
use serde::Serialize;
@ -26,6 +26,15 @@ pub const VALID_TRIAGE_STATES: &[&str] = &[
"fixed",
];
/// Valid dynamic verification states for findings.
pub const VALID_DYNAMIC_VERIFICATION_STATES: &[&str] = &[
"Confirmed",
"NotConfirmed",
"Inconclusive",
"Unsupported",
"Unverified",
];
/// Check if a string is a valid triage state.
pub fn is_valid_triage_state(s: &str) -> bool {
VALID_TRIAGE_STATES.contains(&s)
@ -64,6 +73,8 @@ pub struct FindingView {
#[serde(skip_serializing_if = "Option::is_none")]
pub evidence: Option<Evidence>,
#[serde(skip_serializing_if = "Option::is_none")]
pub dynamic_verdict: Option<VerifyResult>,
#[serde(skip_serializing_if = "Option::is_none")]
pub guard_kind: Option<String>,
#[serde(skip_serializing_if = "Option::is_none")]
pub rank_reason: Option<Vec<(String, String)>>,
@ -199,6 +210,7 @@ pub struct FilterValues {
pub languages: Vec<String>,
pub rules: Vec<String>,
pub statuses: Vec<String>,
pub verification_statuses: Vec<String>,
}
/// Collect distinct filter values from a slice of diagnostics.
@ -209,6 +221,7 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
let mut languages = BTreeSet::new();
let mut rules = BTreeSet::new();
let mut statuses = BTreeSet::new();
let mut verification_statuses = BTreeSet::new();
for d in findings {
severities.insert(d.severity.as_db_str().to_string());
@ -221,12 +234,16 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
}
rules.insert(d.id.clone());
statuses.insert(status_for_diag(d).to_string());
verification_statuses.insert(dynamic_status_for_diag(d).unwrap_or("Unverified").to_string());
}
// Always include all valid triage states so the filter dropdown is complete
for s in VALID_TRIAGE_STATES {
statuses.insert(s.to_string());
}
for s in VALID_DYNAMIC_VERIFICATION_STATES {
verification_statuses.insert(s.to_string());
}
FilterValues {
severities: severities.into_iter().collect(),
@ -235,6 +252,7 @@ pub fn collect_filter_values(findings: &[Diag]) -> FilterValues {
languages: languages.into_iter().collect(),
rules: rules.into_iter().collect(),
statuses: statuses.into_iter().collect(),
verification_statuses: verification_statuses.into_iter().collect(),
}
}
@ -267,6 +285,24 @@ fn status_for_diag(d: &Diag) -> &'static str {
}
}
/// Human-readable dynamic status used by API filters and table rows.
pub fn dynamic_status_label(status: VerifyStatus) -> &'static str {
match status {
VerifyStatus::Confirmed => "Confirmed",
VerifyStatus::NotConfirmed => "NotConfirmed",
VerifyStatus::Inconclusive => "Inconclusive",
VerifyStatus::Unsupported => "Unsupported",
}
}
/// Dynamic verification status for a diagnostic, when a verdict exists.
pub fn dynamic_status_for_diag(d: &Diag) -> Option<&'static str> {
d.evidence
.as_ref()
.and_then(|ev| ev.dynamic_verdict.as_ref())
.map(|verdict| dynamic_status_label(verdict.status))
}
pub(crate) fn is_zero_u64(v: &u64) -> bool {
*v == 0
}
@ -296,6 +332,10 @@ pub fn finding_from_diag(index: usize, d: &Diag) -> FindingView {
triage_note: String::new(),
code_context: None,
evidence: None,
dynamic_verdict: d
.evidence
.as_ref()
.and_then(|ev| ev.dynamic_verdict.clone()),
guard_kind: None,
rank_reason: None,
sanitizer_status: None,

14
src/server/routes/findings.rs
View file

@ -6,7 +6,7 @@ use crate::server::app::{AppState, CachedFindings};
use crate::server::error::{ApiError, ApiResult};
use crate::server::models::{
FilterValues, FindingSummary, FindingView, collect_filter_values, finding_from_diag,
finding_from_diag_with_detail, overlay_triage_states, summarize_findings,
finding_from_diag_with_detail, dynamic_status_label, overlay_triage_states, summarize_findings,
};
use axum::extract::{Path, Query, State};
use axum::routing::get;
@ -139,6 +139,7 @@ struct FindingsQuery {
language: Option<String>,
confidence: Option<String>,
status: Option<String>,
verification: Option<String>,
sort_by: Option<String>,
sort_dir: Option<String>,
page: Option<usize>,
@ -187,6 +188,17 @@ async fn list_findings(
let status_lower = status.to_ascii_lowercase();
views.retain(|f| f.status.to_ascii_lowercase() == status_lower);
}
if let Some(ref verification) = query.verification {
let verification_lower = verification.to_ascii_lowercase();
views.retain(|f| {
let status = f
.dynamic_verdict
.as_ref()
.map(|verdict| dynamic_status_label(verdict.status))
.unwrap_or("Unverified");
status.to_ascii_lowercase() == verification_lower
});
}
if let Some(ref search) = query.search {
let needle = search.to_ascii_lowercase();
views.retain(|f| {