apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

refactor(dynamic): replace PHP route stubs with framework-aware route replay logic for Laravel and Symfony, enhance helper functions, and update related test fixtures

Browse source
This commit is contained in:
elipeter 2026-05-26 14:19:01 -05:00
parent aaf49acefb
commit ed398e2834
14 changed files with 835 additions and 345 deletions
Download patch file Download diff file Expand all files Collapse all files

36
tests/dynamic_fixtures/php_frameworks/codeigniter/benign.php
View file

@ -1,44 +1,24 @@
<?php
// Phase 16 — CodeIgniter-style route, benign sanitised payload.
// CodeIgniter-style route, benign sanitised payload.
namespace CodeIgniter\Router {
class RouteCollection
{
}
}
namespace App\Controllers;
namespace {
use CodeIgniter\Controller;
use CodeIgniter\Router\RouteCollection;
class BaseController
function nyx_register_routes(RouteCollection $routes): void
{
$routes->get('run/(:any)', 'App\\Controllers\\UserController::run');
}
class NyxRoutes extends RouteCollection
class UserController extends Controller
{
public function get(string $path, string $callable)
{
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
[$class, $method] = explode('::', $callable, 2);
$controller = new $class();
return $controller->$method($payload);
};
return $this;
}
}
$routes = new NyxRoutes();
$routes->get('run', 'UserController::run');
class UserController extends BaseController
{
public function run($payload)
public function run(string $payload): string
{
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . escapeshellarg($payload);
$out = shell_exec($cmd);
$out = shell_exec($cmd) ?? '';
echo $out;
return $out;
}
}
}

38
tests/dynamic_fixtures/php_frameworks/codeigniter/vuln.php
View file

@ -1,46 +1,24 @@
<?php
// Phase 16 — CodeIgniter-style route, vulnerable.
// `$routes->get('run', 'UserController::run')` references the
// controller method whose body shells out without sanitisation.
// CodeIgniter-style route, vulnerable.
namespace CodeIgniter\Router {
class RouteCollection
{
}
}
namespace App\Controllers;
namespace {
use CodeIgniter\Controller;
use CodeIgniter\Router\RouteCollection;
class BaseController
function nyx_register_routes(RouteCollection $routes): void
{
$routes->get('run/(:any)', 'App\\Controllers\\UserController::run');
}
class NyxRoutes extends RouteCollection
class UserController extends Controller
{
public function get(string $path, string $callable)
{
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
[$class, $method] = explode('::', $callable, 2);
$controller = new $class();
return $controller->$method($payload);
};
return $this;
}
}
$routes = new NyxRoutes();
$routes->get('run', 'UserController::run');
class UserController extends BaseController
{
public function run($payload)
public function run(string $payload): string
{
echo "__NYX_SINK_HIT__\n";
$cmd = "echo hello " . $payload;
$out = shell_exec($cmd);
$out = shell_exec($cmd) ?? '';
echo $out;
return $out;
}
}
}

37
tests/dynamic_fixtures/php_frameworks/laravel/benign.php
View file

@ -1,40 +1,23 @@
<?php
// Phase 16 — Laravel-style route, benign sanitised payload.
// Laravel-style route, benign sanitised payload.
namespace Illuminate\Support\Facades {
class Route
{
public static function get(string $path, string $callable)
{
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
[$class, $method] = preg_split('/@|::/', $callable);
$controller = new $class();
return $controller->$method($payload);
};
return new class {
public function middleware($value)
{
return $this;
}
};
}
}
namespace App\Http\Controllers;
use Illuminate\Routing\Router;
function nyx_register_routes(Router $router): void
{
$router->get('/run/{payload}', [UserController::class, 'run']);
}
namespace {
use Illuminate\Support\Facades\Route;
Route::get('/run', 'UserController@run');
class UserController
{
public function run($payload)
public function run(string $payload): string
{
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . escapeshellarg($payload);
$out = shell_exec($cmd);
$out = shell_exec($cmd) ?? '';
echo $out;
return $out;
}
}
}

39
tests/dynamic_fixtures/php_frameworks/laravel/vuln.php
View file

@ -1,42 +1,23 @@
<?php
// Phase 16 — Laravel-style route, vulnerable.
// `Route::get('/run', 'UserController@run')` references the
// controller method whose body shells out without sanitisation.
// Laravel-style route, vulnerable.
namespace Illuminate\Support\Facades {
class Route
{
public static function get(string $path, string $callable)
{
$GLOBALS['__nyx_route'] = function (string $payload) use ($callable) {
[$class, $method] = preg_split('/@|::/', $callable);
$controller = new $class();
return $controller->$method($payload);
};
return new class {
public function middleware($value)
{
return $this;
}
};
}
}
namespace App\Http\Controllers;
use Illuminate\Routing\Router;
function nyx_register_routes(Router $router): void
{
$router->get('/run/{payload}', [UserController::class, 'run']);
}
namespace {
use Illuminate\Support\Facades\Route;
Route::get('/run', 'UserController@run');
class UserController
{
public function run($payload)
public function run(string $payload): string
{
echo "__NYX_SINK_HIT__\n";
$cmd = "echo hello " . $payload;
$out = shell_exec($cmd);
$out = shell_exec($cmd) ?? '';
echo $out;
return $out;
}
}
}

62
tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/benign.php
View file

@ -2,53 +2,27 @@
// Same route shape as vuln.php, but quotes the payload before invoking
// the shell so the command-injection marker remains inert.
namespace Illuminate\Support\Facades {
class Route
{
public static function match(array $methods, string $path, array $callable)
{
\NyxLaravelMultiVerb\register_route($methods, $callable);
return new class {
public function middleware($value)
{
return $this;
}
};
}
}
namespace App\Http\Controllers;
use Illuminate\Routing\Router;
function nyx_register_routes(Router $router): void
{
$router->match(['GET', 'POST'], '/run/{payload}', [UserController::class, 'run']);
}
namespace NyxLaravelMultiVerb {
use Illuminate\Support\Facades\Route;
function register_route(array $methods, array $callable): void
class UserController
{
public function run(string $payload): ?string
{
$GLOBALS['__nyx_route'] = function (string $payload) use ($methods, $callable) {
$requestMethod = $_SERVER['REQUEST_METHOD'] ?? 'GET';
if (!in_array($requestMethod, $methods, true)) {
return null;
}
[$class, $method] = $callable;
$controller = new $class();
return $controller->$method($payload);
};
}
Route::match(['GET', 'POST'], '/run', [UserController::class, 'run']);
class UserController
{
public function run(string $payload)
{
if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
echo "__NYX_METHOD_SKIP__\n";
return null;
}
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . escapeshellarg($payload);
$out = shell_exec($cmd);
echo $out;
return $out;
if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
echo "__NYX_METHOD_SKIP__\n";
return null;
}
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . escapeshellarg($payload);
$out = shell_exec($cmd) ?? '';
echo $out;
return $out;
}
}

7
tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/composer.json Normal file
View file

@ -0,0 +1,7 @@
{
"name": "nyx/fixture-laravel-multi-verb",
"require": {
"php": ">=8.1",
"laravel/framework": "^11.0"
}
}

65
tests/dynamic_fixtures/php_frameworks/laravel_multi_verb/vuln.php
View file

@ -1,55 +1,28 @@
<?php
// Laravel-style multi-verb route fixture. The vulnerable sink is gated
// to POST so verifier runs that exercise only the representative GET
// method miss the command injection.
// to POST so verifier runs that exercise only GET miss the command injection.
namespace Illuminate\Support\Facades {
class Route
{
public static function match(array $methods, string $path, array $callable)
{
\NyxLaravelMultiVerb\register_route($methods, $callable);
return new class {
public function middleware($value)
{
return $this;
}
};
}
}
namespace App\Http\Controllers;
use Illuminate\Routing\Router;
function nyx_register_routes(Router $router): void
{
$router->match(['GET', 'POST'], '/run/{payload}', [UserController::class, 'run']);
}
namespace NyxLaravelMultiVerb {
use Illuminate\Support\Facades\Route;
function register_route(array $methods, array $callable): void
class UserController
{
public function run(string $payload): ?string
{
$GLOBALS['__nyx_route'] = function (string $payload) use ($methods, $callable) {
$requestMethod = $_SERVER['REQUEST_METHOD'] ?? 'GET';
if (!in_array($requestMethod, $methods, true)) {
return null;
}
[$class, $method] = $callable;
$controller = new $class();
return $controller->$method($payload);
};
}
Route::match(['GET', 'POST'], '/run', [UserController::class, 'run']);
class UserController
{
public function run(string $payload)
{
if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
echo "__NYX_METHOD_SKIP__\n";
return null;
}
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . $payload;
$out = shell_exec($cmd);
echo $out;
return $out;
if (($_SERVER['REQUEST_METHOD'] ?? 'GET') !== 'POST') {
echo "__NYX_METHOD_SKIP__\n";
return null;
}
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . $payload;
$out = shell_exec($cmd) ?? '';
echo $out;
return $out;
}
}

55
tests/dynamic_fixtures/php_frameworks/symfony/benign.php
View file

@ -1,48 +1,35 @@
<?php
// Phase 16 — Symfony-style route via `#[Route]` attribute,
// benign sanitised payload.
// Symfony-style route via RouteCollection and HttpKernel, benign sanitised payload.
namespace Symfony\Component\HttpFoundation {
class Response
{
public function __construct(private string $content)
{
}
public function __toString(): string
{
return $this->content;
}
}
}
namespace Symfony\Component\Routing\Annotation {
#[\Attribute(\Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
class Route
{
public function __construct(...$args)
{
}
}
}
namespace App\Controller {
namespace App\Controller;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Component\Routing\Route as SymfonyRoute;
use Symfony\Component\Routing\RouteCollection;
function nyx_register_routes(RouteCollection $routes): void
{
$routes->add('nyx_run', new SymfonyRoute(
'/run/{payload}',
['_controller' => [new UserController(), 'run']],
[],
[],
'',
[],
['GET']
));
}
class UserController
{
#[Route('/run', methods: ['GET'])]
public function run($payload)
#[Route('/run/{payload}', methods: ['GET'])]
public function run(string $payload): Response
{
echo "__NYX_SINK_HIT__\n";
$cmd = "true " . escapeshellarg($payload);
$out = shell_exec($cmd);
$out = shell_exec($cmd) ?? '';
echo $out;
return new Response($out);
}
}
$GLOBALS['__nyx_controller'] = new UserController();
}

55
tests/dynamic_fixtures/php_frameworks/symfony/vuln.php
View file

@ -1,48 +1,35 @@
<?php
// Phase 16 — Symfony-style route via `#[Route]` attribute,
// vulnerable.
// Symfony-style route via RouteCollection and HttpKernel, vulnerable.
namespace Symfony\Component\HttpFoundation {
class Response
{
public function __construct(private string $content)
{
}
public function __toString(): string
{
return $this->content;
}
}
}
namespace Symfony\Component\Routing\Annotation {
#[\Attribute(\Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
class Route
{
public function __construct(...$args)
{
}
}
}
namespace App\Controller {
namespace App\Controller;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Routing\Attribute\Route;
use Symfony\Component\Routing\Route as SymfonyRoute;
use Symfony\Component\Routing\RouteCollection;
function nyx_register_routes(RouteCollection $routes): void
{
$routes->add('nyx_run', new SymfonyRoute(
'/run/{payload}',
['_controller' => [new UserController(), 'run']],
[],
[],
'',
[],
['GET']
));
}
class UserController
{
#[Route('/run', methods: ['GET'])]
public function run($payload)
#[Route('/run/{payload}', methods: ['GET'])]
public function run(string $payload): Response
{
echo "__NYX_SINK_HIT__\n";
$cmd = "echo hello " . $payload;
$out = shell_exec($cmd);
$out = shell_exec($cmd) ?? '';
echo $out;
return new Response($out);
}
}
$GLOBALS['__nyx_controller'] = new UserController();
}