[pitboss] phase 08: Track J.6 + Track L.6 — HEADER_INJECTION corpus + every HTTP framework

tests/dynamic_fixtures/header_injection/python/benign.py

@@ -0,0 +1,13 @@
+# Phase 08 (Track J.6) — Python HEADER_INJECTION benign control fixture.
+#
+# Same shape as `vuln.py` but URL-encodes the value via
+# `urllib.parse.quote` first, so CRLF bytes land as `%0D%0A` and the
+# wire keeps a single header.
+from urllib.parse import quote
+from flask import Response
+
+
+def run(value):
+    response = Response("ok")
+    response.headers["Set-Cookie"] = quote(value, safe="")
+    return response

tests/dynamic_fixtures/header_injection/python/vuln.py

@@ -0,0 +1,13 @@
+# Phase 08 (Track J.6) — Python HEADER_INJECTION vuln fixture.
+#
+# The function assigns the attacker-controlled `value` directly into
+# a Flask response's `Set-Cookie` header via `Response.headers
+# .__setitem__`.  A payload carrying `\r\nSet-Cookie: nyx-injected=pwn`
+# splits the single header into two on the wire.
+from flask import Response
+
+
+def run(value):
+    response = Response("ok")
+    response.headers["Set-Cookie"] = value
+    return response