[pitboss/grind] deferred session-0022 (20260522T043516Z-29b8)

tests/dynamic_fixtures/header_injection/js_raw/vuln.js

@@ -0,0 +1,50 @@
+// Phase 08 (Track J.6) — JavaScript raw-socket HEADER_INJECTION vuln fixture.
+//
+// Writes the response status line and headers directly to the wire via
+// `socket.write`, bypassing the framework-level CRLF validator that
+// Node's `http.ServerResponse#setHeader` / Express / axum / Tomcat
+// would otherwise interpose.  A payload carrying `\r\nSet-Cookie: ...`
+// splits the single Set-Cookie header into two on the wire, producing
+// the canonical smuggled-second-header shape that
+// `ProbeKind::HeaderWireFrame` is designed to catch.
+//
+// The harness (`src/dynamic/lang/js_shared.rs::emit_header_injection_harness`)
+// detects the `net.createServer` import in this file and routes
+// through the tier-(b) wire-frame branch: boot a `net.Server` on a
+// loopback port, issue one `GET /` over a raw socket, read the bytes
+// the handler wrote to the response socket, and emit them as a
+// `ProbeKind::HeaderWireFrame` record.
+const net = require('net');
+
+// Set by the harness before each request.  Bytes go straight onto
+// the wire with no encoding pass.
+let cookieValue = Buffer.alloc(0);
+
+function setCookieValue(value) {
+  if (Buffer.isBuffer(value)) {
+    cookieValue = value;
+  } else {
+    cookieValue = Buffer.from(String(value), 'utf8');
+  }
+}
+
+function createServer() {
+  return net.createServer((socket) => {
+    socket.once('data', () => {
+      const body = Buffer.from('ok\n');
+      const head = Buffer.concat([
+        Buffer.from('HTTP/1.0 200 OK\r\n'),
+        Buffer.from('Content-Length: ' + body.length + '\r\n'),
+        Buffer.from('Set-Cookie: '),
+        cookieValue,
+        Buffer.from('\r\n'),
+        Buffer.from('\r\n'),
+      ]);
+      socket.write(Buffer.concat([head, body]));
+      socket.end();
+    });
+    socket.on('error', () => {});
+  });
+}
+
+module.exports = { setCookieValue, createServer };

tests/header_injection_corpus.rs

@@ -726,6 +726,88 @@ mod e2e_phase_08 {
         (spec, tmp)
     }
 
+    // Phase 08 tier-(b): JavaScript raw-socket wire-frame fixture.
+    // `tests/dynamic_fixtures/header_injection/js_raw/vuln.js` boots a
+    // `net.Server` whose callback writes raw bytes via `socket.write`,
+    // bypassing Node's `http.ServerResponse#setHeader` CRLF strip.  The
+    // harness boots the server on a loopback port, reads the response-
+    // header block off the socket, and emits a
+    // `ProbeKind::HeaderWireFrame` record.  Asserts the test exercises
+    // the wire-frame branch (not the synthetic fallback) by pinning
+    // `wire_frame_len` in the captured stdout — that literal only
+    // appears in the tier-(b) write path.
+    fn build_js_raw_spec(entry_name: &str) -> (HarnessSpec, TempDir) {
+        let fixture_src = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+            .join("tests/dynamic_fixtures/header_injection/js_raw/vuln.js");
+        let tmp = TempDir::new().expect("create tempdir");
+        let dst = tmp.path().join("vuln.js");
+        std::fs::copy(&fixture_src, &dst).expect("copy js_raw fixture into tempdir");
+        let entry_file = dst.to_string_lossy().into_owned();
+        let mut digest = blake3::Hasher::new();
+        digest.update(b"phase08-e2e-header-injection|js_raw|vuln.js");
+        let spec_hash = format!("{:016x}", {
+            let bytes = digest.finalize();
+            u64::from_le_bytes(bytes.as_bytes()[..8].try_into().unwrap())
+        });
+        let spec = HarnessSpec {
+            finding_id: spec_hash.clone(),
+            entry_file: entry_file.clone(),
+            entry_name: entry_name.to_owned(),
+            entry_kind: EntryKind::Function,
+            lang: Lang::JavaScript,
+            toolchain_id: default_toolchain_id(Lang::JavaScript).into(),
+            payload_slot: PayloadSlot::Param(0),
+            expected_cap: Cap::HEADER_INJECTION,
+            constraint_hints: vec![],
+            sink_file: entry_file,
+            sink_line: 1,
+            spec_hash: spec_hash.clone(),
+            derivation: SpecDerivationStrategy::FromFlowSteps,
+            stubs_required: vec![],
+            framework: None,
+            java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
+        };
+        (spec, tmp)
+    }
+
+    #[test]
+    fn js_raw_socket_vuln_confirms_via_wire_frame_probe() {
+        if !command_available("node") {
+            eprintln!("SKIP js_raw: missing node");
+            return;
+        }
+        let _guard = FIXTURE_LOCK.lock().unwrap_or_else(|e| e.into_inner());
+        let (spec, _tmp) = build_js_raw_spec("run");
+        let opts = SandboxOptions {
+            backend: SandboxBackend::Process,
+            ..SandboxOptions::default()
+        };
+        let outcome = match run_spec(&spec, &opts) {
+            Ok(outcome) => outcome,
+            Err(RunError::BuildFailed { stderr, attempts }) => {
+                eprintln!(
+                    "SKIP js_raw: harness build failed after {attempts} attempts: {stderr}",
+                );
+                return;
+            }
+            Err(e) => panic!("run_spec(js_raw) errored: {e:?}"),
+        };
+        assert_confirmed(Lang::JavaScript, &outcome);
+        let any_wire_frame_marker = outcome.attempts.iter().any(|a| {
+            String::from_utf8_lossy(&a.outcome.stdout).contains("wire_frame_len")
+        });
+        assert!(
+            any_wire_frame_marker,
+            "js_raw fixture must exercise the tier-(b) wire-frame harness branch; \
+             expected `wire_frame_len` substring in at least one attempt's stdout, got attempts={:?}",
+            outcome
+                .attempts
+                .iter()
+                .map(|a| String::from_utf8_lossy(&a.outcome.stdout).into_owned())
+                .collect::<Vec<_>>(),
+        );
+    }
+
     #[test]
     fn python_raw_socket_vuln_confirms_via_wire_frame_probe() {
         if !command_available("python3") {