[pitboss/grind] deferred session-0026 (20260522T043516Z-29b8)

This commit is contained in:
pitboss 2026-05-22 08:10:23 -05:00
parent 853fd281c5
commit ed237ab45a
4 changed files with 574 additions and 1 deletions

View file

@ -1017,4 +1017,88 @@ mod e2e_phase_08 {
.collect::<Vec<_>>(),
);
}
// Phase 08 tier-(b): PHP raw-socket wire-frame fixture.
// `tests/dynamic_fixtures/header_injection/php_raw/vuln.php` binds
// a `stream_socket_server` via `create_server` whose `run_once`
// handler writes raw bytes via `fwrite($conn, $raw)`, bypassing
// PHP's built-in `header()` CRLF strip (rejected since 5.1.2).
// The harness boots the server on a loopback port, opens a client
// stream via `stream_socket_client`, reads the response-header
// block off the socket, and emits a `ProbeKind::HeaderWireFrame`
// record. Asserts the test exercises the wire-frame branch (not
// the synthetic fallback) by pinning `wire_frame_len` in the
// captured stdout — that literal only appears in the tier-(b)
// write path.
fn build_php_raw_spec(entry_name: &str) -> (HarnessSpec, TempDir) {
let fixture_src = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("tests/dynamic_fixtures/header_injection/php_raw/vuln.php");
let tmp = TempDir::new().expect("create tempdir");
let dst = tmp.path().join("vuln.php");
std::fs::copy(&fixture_src, &dst).expect("copy php_raw fixture into tempdir");
let entry_file = dst.to_string_lossy().into_owned();
let mut digest = blake3::Hasher::new();
digest.update(b"phase08-e2e-header-injection|php_raw|vuln.php");
let spec_hash = format!("{:016x}", {
let bytes = digest.finalize();
u64::from_le_bytes(bytes.as_bytes()[..8].try_into().unwrap())
});
let spec = HarnessSpec {
finding_id: spec_hash.clone(),
entry_file: entry_file.clone(),
entry_name: entry_name.to_owned(),
entry_kind: EntryKind::Function,
lang: Lang::Php,
toolchain_id: default_toolchain_id(Lang::Php).into(),
payload_slot: PayloadSlot::Param(0),
expected_cap: Cap::HEADER_INJECTION,
constraint_hints: vec![],
sink_file: entry_file,
sink_line: 1,
spec_hash: spec_hash.clone(),
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)
}
#[test]
fn php_raw_socket_vuln_confirms_via_wire_frame_probe() {
if !command_available("php") {
eprintln!("SKIP php_raw: missing php");
return;
}
let _guard = FIXTURE_LOCK.lock().unwrap_or_else(|e| e.into_inner());
let (spec, _tmp) = build_php_raw_spec("run");
let opts = SandboxOptions {
backend: SandboxBackend::Process,
..SandboxOptions::default()
};
let outcome = match run_spec(&spec, &opts) {
Ok(outcome) => outcome,
Err(RunError::BuildFailed { stderr, attempts }) => {
eprintln!(
"SKIP php_raw: harness build failed after {attempts} attempts: {stderr}",
);
return;
}
Err(e) => panic!("run_spec(php_raw) errored: {e:?}"),
};
assert_confirmed(Lang::Php, &outcome);
let any_wire_frame_marker = outcome.attempts.iter().any(|a| {
String::from_utf8_lossy(&a.outcome.stdout).contains("wire_frame_len")
});
assert!(
any_wire_frame_marker,
"php_raw fixture must exercise the tier-(b) wire-frame harness branch; \
expected `wire_frame_len` substring in at least one attempt's stdout, got attempts={:?}",
outcome
.attempts
.iter()
.map(|a| String::from_utf8_lossy(&a.outcome.stdout).into_owned())
.collect::<Vec<_>>(),
);
}
}