apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss/grind] deferred session-0013 (20260522T163126Z-7d60)

Browse source
This commit is contained in:
pitboss 2026-05-22 16:56:12 -05:00
parent ad18008712
commit e360a1db58
3 changed files with 701 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

48
tests/data_exfil_corpus.rs
View file

@ -136,8 +136,8 @@ mod e2e_data_exfil {
fn command_available(bin: &str) -> bool {
// Go's CLI uses `go version` (subcommand) instead of `go
// --version` and exits non-zero on `--version`. Every other
// toolchain here (python3, ruby, node, javac, php) accepts
// `--version`.
// toolchain here (python3, ruby, node, javac, php, cargo)
// accepts `--version`.
let arg = if bin == "go" { "version" } else { "--version" };
Command::new(bin)
.arg(arg)
@ -156,8 +156,9 @@ mod e2e_data_exfil {
Lang::Java => "java",
Lang::Php => "php",
Lang::Go => "go",
Lang::Rust => "rust",
_ => unreachable!(
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php + Go + Rust"
),
})
.join(fixture);
@ -204,8 +205,9 @@ mod e2e_data_exfil {
Lang::Java => "javac",
Lang::Php => "php",
Lang::Go => "go",
Lang::Rust => "cargo",
_ => unreachable!(
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
"DATA_EXFIL e2e currently covers Python + Ruby + JavaScript + Java + Php + Go + Rust"
),
};
if !command_available(required) {
@ -448,4 +450,42 @@ mod e2e_data_exfil {
"Go DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
);
}
/// Rust pair, same shape as Python + Ruby + JavaScript + Java +
/// Php + Go. The vuln fixture's `reqwest::blocking::get(&url)`
/// has its `reqwest::` prefix rewritten to `crate::nyx_http::` at
/// staging time so the outbound call lands in the harness-shipped
/// `nyx_http::blocking::get` shim, which parses the URL host, emits
/// a `ProbeKind::OutboundNetwork`, and returns a benign empty
/// `Response`. `OutboundHostNotIn` fires for the `attacker.test`
/// payload. The benign fixture's `!ALLOWLIST.contains(&host)`
/// guard short-circuits before reaching the rewritten reqwest call
/// for non-loopback payloads so no probe fires. Skips when `cargo`
/// is not on PATH.
#[test]
fn rust_vuln_confirms_via_run_spec() {
let Some(outcome) = run(Lang::Rust, "vuln.rs", "run") else {
return;
};
assert!(
outcome.triggered_by.is_some(),
"Rust DATA_EXFIL vuln must confirm via run_spec; got {outcome:?}",
);
let diff = outcome
.differential
.as_ref()
.expect("confirmed run must carry a DifferentialOutcome");
assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
}
#[test]
fn rust_benign_does_not_confirm_via_run_spec() {
let Some(outcome) = run(Lang::Rust, "benign.rs", "run") else {
return;
};
assert!(
outcome.triggered_by.is_none(),
"Rust DATA_EXFIL benign control must not confirm via run_spec; got {outcome:?}",
);
}
}

45
tests/unauthorized_id_corpus.rs
View file

@ -127,8 +127,8 @@ mod e2e_unauthorized_id {
fn command_available(bin: &str) -> bool {
// Go's CLI uses `go version` (subcommand) instead of `go
// --version` and exits non-zero on `--version`. Every other
// toolchain here (python3, ruby, node, javac, php) accepts
// `--version`.
// toolchain here (python3, ruby, node, javac, php, cargo)
// accepts `--version`.
let arg = if bin == "go" { "version" } else { "--version" };
Command::new(bin)
.arg(arg)
@ -147,8 +147,9 @@ mod e2e_unauthorized_id {
Lang::Java => "java",
Lang::Php => "php",
Lang::Go => "go",
Lang::Rust => "rust",
_ => unreachable!(
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php + Go + Rust"
),
})
.join(fixture);
@ -195,8 +196,9 @@ mod e2e_unauthorized_id {
Lang::Java => "javac",
Lang::Php => "php",
Lang::Go => "go",
Lang::Rust => "cargo",
_ => unreachable!(
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php + Go"
"UNAUTHORIZED_ID e2e currently covers Python + Ruby + JavaScript + Java + Php + Go + Rust"
),
};
if !command_available(required) {
@ -430,4 +432,39 @@ mod e2e_unauthorized_id {
"Go UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
);
}
/// Rust pair, same shape as Python + Ruby + JavaScript + Java +
/// Php + Go. The vuln fixture's `store.get(owner_id).cloned()`
/// returns `Some(_)` for any `owner_id`; the harness's `.is_some()`
/// gate fires the `IdorAccess(alice, bob)` probe and
/// `IdorBoundaryCrossed` confirms the differential. The benign
/// fixture's `if owner_id != CALLER_ID { return None; }` short-
/// circuit returns `None` for the non-caller payload so the gate
/// clears and no probe fires. Skips when `cargo` is not on PATH.
#[test]
fn rust_vuln_confirms_via_run_spec() {
let Some(outcome) = run(Lang::Rust, "vuln.rs", "run") else {
return;
};
assert!(
outcome.triggered_by.is_some(),
"Rust UNAUTHORIZED_ID vuln must confirm via run_spec; got {outcome:?}",
);
let diff = outcome
.differential
.as_ref()
.expect("confirmed run must carry a DifferentialOutcome");
assert_eq!(diff.verdict, DifferentialVerdict::Confirmed);
}
#[test]
fn rust_benign_does_not_confirm_via_run_spec() {
let Some(outcome) = run(Lang::Rust, "benign.rs", "run") else {
return;
};
assert!(
outcome.triggered_by.is_none(),
"Rust UNAUTHORIZED_ID benign control must not confirm via run_spec; got {outcome:?}",
);
}
}