[pitboss] phase 08: Track J.6 + Track L.6 — HEADER_INJECTION corpus + every HTTP framework

tests/dynamic_fixtures/header_injection/go/benign.go

@@ -0,0 +1,15 @@
+// Phase 08 (Track J.6) — Go HEADER_INJECTION benign control fixture.
+//
+// Same shape as `vuln.go` but URL-encodes the value via
+// `net/url.QueryEscape` before the header set, so CRLF bytes land as
+// `%0D%0A` and the wire keeps a single header.
+package benign
+
+import (
+	"net/http"
+	"net/url"
+)
+
+func Run(w http.ResponseWriter, value string) {
+	w.Header().Set("Set-Cookie", url.QueryEscape(value))
+}

tests/dynamic_fixtures/header_injection/go/vuln.go

@@ -0,0 +1,13 @@
+// Phase 08 (Track J.6) — Go HEADER_INJECTION vuln fixture.
+//
+// The function assigns the attacker-controlled `value` directly into a
+// `Set-Cookie` header via `http.ResponseWriter.Header().Set`.  A
+// payload carrying `\r\nSet-Cookie: nyx-injected=pwn` splits the
+// single header into two on the wire.
+package vuln
+
+import "net/http"
+
+func Run(w http.ResponseWriter, value string) {
+	w.Header().Set("Set-Cookie", value)
+}

tests/dynamic_fixtures/header_injection/java/Benign.java

@@ -0,0 +1,16 @@
+// Phase 08 (Track J.6) — Java HEADER_INJECTION benign control fixture.
+//
+// Same shape as `Vuln.java` but URL-encodes the value via
+// `URLEncoder.encode` (the OWASP-recommended defence), so any CRLF
+// bytes in the value land as `%0D%0A` and the wire keeps a single
+// header.
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import javax.servlet.http.HttpServletResponse;
+
+public class Benign {
+    public static void run(HttpServletResponse response, String value) {
+        String encoded = URLEncoder.encode(value, StandardCharsets.UTF_8);
+        response.setHeader("Set-Cookie", encoded);
+    }
+}

tests/dynamic_fixtures/header_injection/java/Vuln.java

@@ -0,0 +1,13 @@
+// Phase 08 (Track J.6) — Java HEADER_INJECTION vuln fixture.
+//
+// The function string-concatenates the attacker-controlled `value`
+// directly into a `Set-Cookie` header set via
+// `HttpServletResponse.setHeader`.  A payload carrying `\r\nSet-Cookie:
+// nyx-injected=pwn` splits the single header into two on the wire.
+import javax.servlet.http.HttpServletResponse;
+
+public class Vuln {
+    public static void run(HttpServletResponse response, String value) {
+        response.setHeader("Set-Cookie", value);
+    }
+}

tests/dynamic_fixtures/header_injection/js/benign.js

@@ -0,0 +1,13 @@
+// Phase 08 (Track J.6) — JavaScript HEADER_INJECTION benign control
+// fixture.
+//
+// Same shape as `vuln.js` but URL-encodes the value first via
+// `encodeURIComponent`, so CRLF bytes land as `%0D%0A` and the wire
+// keeps a single header.
+const http = require('http');
+
+function run(res, value) {
+  res.setHeader('Set-Cookie', encodeURIComponent(value));
+}
+
+module.exports = { run };

tests/dynamic_fixtures/header_injection/js/vuln.js

@@ -0,0 +1,13 @@
+// Phase 08 (Track J.6) — JavaScript HEADER_INJECTION vuln fixture.
+//
+// The function assigns the attacker-controlled `value` directly into a
+// Node response's `Set-Cookie` header via `http.ServerResponse
+// #setHeader`.  A payload carrying `\r\nSet-Cookie: nyx-injected=pwn`
+// splits the single header into two on the wire.
+const http = require('http');
+
+function run(res, value) {
+  res.setHeader('Set-Cookie', value);
+}
+
+module.exports = { run };

tests/dynamic_fixtures/header_injection/php/benign.php

@@ -0,0 +1,9 @@
+<?php
+// Phase 08 (Track J.6) — PHP HEADER_INJECTION benign control fixture.
+//
+// Same shape as `vuln.php` but URL-encodes the value first via
+// `urlencode`, so CRLF bytes land as `%0D%0A` and the wire keeps a
+// single header.
+function run($value) {
+    header("Set-Cookie: " . urlencode($value));
+}

tests/dynamic_fixtures/header_injection/php/vuln.php

@@ -0,0 +1,10 @@
+<?php
+// Phase 08 (Track J.6) — PHP HEADER_INJECTION vuln fixture.
+//
+// The function concatenates the attacker-controlled `$value` directly
+// into a `Set-Cookie` header set via the built-in `header()` function.
+// A payload carrying `\r\nSet-Cookie: nyx-injected=pwn` splits the
+// single header into two on the wire.
+function run($value) {
+    header("Set-Cookie: " . $value);
+}

tests/dynamic_fixtures/header_injection/python/benign.py

@@ -0,0 +1,13 @@
+# Phase 08 (Track J.6) — Python HEADER_INJECTION benign control fixture.
+#
+# Same shape as `vuln.py` but URL-encodes the value via
+# `urllib.parse.quote` first, so CRLF bytes land as `%0D%0A` and the
+# wire keeps a single header.
+from urllib.parse import quote
+from flask import Response
+
+
+def run(value):
+    response = Response("ok")
+    response.headers["Set-Cookie"] = quote(value, safe="")
+    return response

tests/dynamic_fixtures/header_injection/python/vuln.py

@@ -0,0 +1,13 @@
+# Phase 08 (Track J.6) — Python HEADER_INJECTION vuln fixture.
+#
+# The function assigns the attacker-controlled `value` directly into
+# a Flask response's `Set-Cookie` header via `Response.headers
+# .__setitem__`.  A payload carrying `\r\nSet-Cookie: nyx-injected=pwn`
+# splits the single header into two on the wire.
+from flask import Response
+
+
+def run(value):
+    response = Response("ok")
+    response.headers["Set-Cookie"] = value
+    return response

tests/dynamic_fixtures/header_injection/ruby/benign.rb

@@ -0,0 +1,13 @@
+# Phase 08 (Track J.6) — Ruby HEADER_INJECTION benign control fixture.
+#
+# Same shape as `vuln.rb` but URL-encodes the value first via
+# `URI.encode_www_form_component`, so CRLF bytes land as `%0D%0A` and
+# the wire keeps a single header.
+require 'rack'
+require 'uri'
+
+def run(value)
+  response = Rack::Response.new
+  response.set_header('Set-Cookie', URI.encode_www_form_component(value))
+  response
+end

tests/dynamic_fixtures/header_injection/ruby/vuln.rb

@@ -0,0 +1,13 @@
+# Phase 08 (Track J.6) — Ruby HEADER_INJECTION vuln fixture.
+#
+# The function assigns the attacker-controlled `value` directly into a
+# Rack response's `Set-Cookie` header via `Rack::Response#set_header`.
+# A payload carrying `\r\nSet-Cookie: nyx-injected=pwn` splits the
+# single header into two on the wire.
+require 'rack'
+
+def run(value)
+  response = Rack::Response.new
+  response.set_header('Set-Cookie', value)
+  response
+end

tests/dynamic_fixtures/header_injection/rust/benign.rs

@@ -0,0 +1,16 @@
+// Phase 08 (Track J.6) — Rust HEADER_INJECTION benign control fixture.
+//
+// Same shape as `vuln.rs` but routes the value through the
+// `percent-encoding` crate first, so CRLF bytes land as `%0D%0A` and
+// the wire keeps a single header.
+use axum::http::HeaderMap;
+use axum::http::HeaderValue;
+use percent_encoding::{utf8_percent_encode, NON_ALPHANUMERIC};
+
+pub fn run(headers: &mut HeaderMap, value: &str) {
+    let encoded: String = utf8_percent_encode(value, NON_ALPHANUMERIC).collect();
+    headers.insert(
+        "set-cookie",
+        HeaderValue::from_str(&encoded).unwrap(),
+    );
+}

tests/dynamic_fixtures/header_injection/rust/vuln.rs

@@ -0,0 +1,17 @@
+// Phase 08 (Track J.6) — Rust HEADER_INJECTION vuln fixture.
+//
+// The function inserts the attacker-controlled `value` into an axum
+// `HeaderMap` via `headers_mut().insert`, bypassing
+// `HeaderValue::from_str`'s newline check by passing the tainted
+// bytes through `HeaderValue::from_bytes(...).unwrap()`.  A payload
+// carrying `\r\nSet-Cookie: nyx-injected=pwn` splits the single
+// header into two on the wire.
+use axum::http::HeaderMap;
+use axum::http::HeaderValue;
+
+pub fn run(headers: &mut HeaderMap, value: &str) {
+    headers.insert(
+        "set-cookie",
+        HeaderValue::from_bytes(value.as_bytes()).unwrap(),
+    );
+}