[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

tests/dynamic_fixtures/graphql_resolver/gqlgen/benign.go

@@ -0,0 +1,15 @@
+// Phase 21 — gqlgen benign control.
+package benign
+
+// import "github.com/99designs/gqlgen/graphql"
+
+import "regexp"
+
+var idAllow = regexp.MustCompile(`^[A-Za-z0-9_-]+$`)
+
+func ResolveUser(id string) (string, error) {
+	if !idAllow.MatchString(id) {
+		return "", nil
+	}
+	return "user-" + id, nil
+}

tests/dynamic_fixtures/graphql_resolver/gqlgen/vuln.go

@@ -0,0 +1,23 @@
+// Phase 21 (Track M.3) — gqlgen GraphQL resolver vuln fixture.
+//
+// `resolveUser(ctx, id)` is a gqlgen resolver (substring marker only —
+// the real gqlgen runtime is not on the workdir's go.mod).  The
+// resolver splices the id into a shell command via os/exec.
+package vuln
+
+// import "github.com/99designs/gqlgen/graphql"
+
+import (
+	"os/exec"
+)
+
+// type queryResolver struct{}
+
+func ResolveUser(id string) (string, error) {
+	// SINK: tainted id concatenated into shell command.
+	out, err := exec.Command("/bin/sh", "-c", "echo lookup-"+id).Output()
+	if err != nil {
+		return "", err
+	}
+	return string(out), nil
+}