[pitboss/grind] deferred session-0001 (20260522T163126Z-7d60)

tests/dynamic_fixtures/json_parse_depth/javascript/vuln.js

@@ -0,0 +1,23 @@
+// JavaScript JSON_PARSE depth-bomb vuln fixture.
+//
+// Models a config-driven JSON ingest endpoint that picks the parser
+// input based on the request payload tag — `*_DEEP` routes through a
+// deeply-nested array literal (256 levels) that drives `JSON.parse`
+// past the 64-level depth budget; `*_SHALLOW` routes through a flat
+// `[]` parse that leaves the predicate clear.  This shape is needed
+// by the differential runner: the vuln-payload attempt and the
+// benign-control attempt both load the same fixture, and only the
+// payload-routed deep branch trips the `JsonParseExcessiveDepth`
+// predicate.
+function run(value) {
+    const text = Buffer.isBuffer(value)
+        ? value.toString('utf8')
+        : String(value);
+    if (text.indexOf('DEEP') !== -1) {
+        const nested = '['.repeat(256) + ']'.repeat(256);
+        return JSON.parse(nested);
+    }
+    return JSON.parse('[]');
+}
+
+module.exports = { run };

tests/dynamic_fixtures/json_parse_depth/ruby/vuln.rb

@@ -0,0 +1,23 @@
+# Ruby JSON_PARSE depth-bomb vuln fixture.
+#
+# Models a config-driven JSON ingest endpoint that picks the parser
+# input based on the request payload tag — `*_DEEP` routes through a
+# deeply-nested array literal (256 levels) that drives `JSON.parse`
+# past the 64-level depth budget; `*_SHALLOW` routes through a flat
+# `[]` parse that leaves the predicate clear.  This shape is needed
+# by the differential runner: the vuln-payload attempt and the
+# benign-control attempt both load the same fixture, and only the
+# payload-routed deep branch trips the `JsonParseExcessiveDepth`
+# predicate.  `max_nesting: false` disables the json gem's depth
+# guard so the harness's depth walker sees the full 256-level shape
+# rather than triggering `JSON::NestingError` at depth 100.
+require 'json'
+
+def run(value)
+  text = value.to_s
+  if text.include?('DEEP')
+    nested = '[' * 256 + ']' * 256
+    return JSON.parse(nested, max_nesting: false)
+  end
+  JSON.parse('[]')
+end

tests/json_parse_corpus.rs

@@ -128,7 +128,9 @@ mod e2e_json_parse_depth {
             .join("tests/dynamic_fixtures/json_parse_depth")
             .join(match lang {
                 Lang::Python => "python",
-                _ => unreachable!("JSON_PARSE depth e2e covers Python only"),
+                Lang::JavaScript => "javascript",
+                Lang::Ruby => "ruby",
+                _ => unreachable!("JSON_PARSE depth e2e covers Python + JavaScript + Ruby only"),
             })
             .join(fixture);
         let tmp = TempDir::new().expect("create tempdir");
@@ -167,8 +169,14 @@ mod e2e_json_parse_depth {
     }
 
     fn run(lang: Lang, fixture: &str, entry_name: &str) -> Option<RunOutcome> {
-        if !command_available("python3") {
-            eprintln!("SKIP {lang:?} {fixture}: missing toolchain python3");
+        let required = match lang {
+            Lang::Python => "python3",
+            Lang::JavaScript => "node",
+            Lang::Ruby => "ruby",
+            _ => unreachable!("JSON_PARSE depth e2e covers Python + JavaScript + Ruby only"),
+        };
+        if !command_available(required) {
+            eprintln!("SKIP {lang:?} {fixture}: missing toolchain {required}");
             return None;
         }
         let _guard = FIXTURE_LOCK.lock().unwrap_or_else(|e| e.into_inner());
@@ -208,6 +216,22 @@ mod e2e_json_parse_depth {
         };
         assert_confirmed(Lang::Python, &outcome);
     }
+
+    #[test]
+    fn javascript_vuln_confirms_via_run_spec() {
+        let Some(outcome) = run(Lang::JavaScript, "vuln.js", "run") else {
+            return;
+        };
+        assert_confirmed(Lang::JavaScript, &outcome);
+    }
+
+    #[test]
+    fn ruby_vuln_confirms_via_run_spec() {
+        let Some(outcome) = run(Lang::Ruby, "vuln.rb", "run") else {
+            return;
+        };
+        assert_confirmed(Lang::Ruby, &outcome);
+    }
 }
 
 #[test]