[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

tests/dynamic_fixtures/middleware/django/benign.py

@@ -0,0 +1,18 @@
+"""Phase 21 — Django middleware benign control."""
+import os
+import shlex
+
+_NYX_ADAPTER_MARKER = "from django.utils.deprecation import MiddlewareMixin"
+
+
+class AuditMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        os.system("echo " + shlex.quote(str(request.body)))
+        return self.get_response(request)
+
+
+def audit(get_response):
+    return AuditMiddleware(get_response)

tests/dynamic_fixtures/middleware/django/vuln.py

@@ -0,0 +1,23 @@
+"""Phase 21 (Track M.3) — Django middleware vuln fixture.
+
+`AuditMiddleware.__call__(request)` splices `request.body` into a shell
+command via `os.system`.
+"""
+import os
+
+_NYX_ADAPTER_MARKER = "from django.utils.deprecation import MiddlewareMixin"
+
+
+class AuditMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    def __call__(self, request):
+        # SINK: tainted request body concatenated into shell command.
+        os.system("echo " + str(request.body))
+        return self.get_response(request)
+
+
+# Module-level alias for the harness to resolve `audit` directly.
+def audit(get_response):
+    return AuditMiddleware(get_response)

tests/dynamic_fixtures/middleware/express/benign.js

@@ -0,0 +1,11 @@
+// Phase 21 — Express middleware benign control.
+const _NYX_ADAPTER_MARKER = "require('express')";
+
+function audit(req, res, next) {
+    const body = String(req.body || '');
+    if (body.length > 1024) return res.end('too large');
+    if (typeof next === 'function') next();
+    return 'ok';
+}
+
+module.exports = { audit };

tests/dynamic_fixtures/middleware/express/vuln.js

@@ -0,0 +1,17 @@
+// Phase 21 (Track M.3) — Express middleware vuln fixture.
+//
+// `audit(req, res, next)` is mounted via `app.use(audit)`.  It splices
+// the request body into a shell command via `execSync`.
+const _NYX_ADAPTER_MARKER = "require('express')";
+const _NYX_REGISTER_MARKER = "app.use(audit)";
+
+const { execSync } = require('child_process');
+
+function audit(req, res, next) {
+    // SINK: tainted req.body concatenated into shell command.
+    const out = execSync('echo ' + String(req.body || '')).toString();
+    if (typeof next === 'function') next();
+    return out;
+}
+
+module.exports = { audit };

tests/dynamic_fixtures/middleware/laravel/benign.php

@@ -0,0 +1,11 @@
+<?php
+// Phase 21 — Laravel middleware benign control.
+// use Illuminate\\Http\\Request;
+
+class Audit {
+    public function handle($request, $next) {
+        $body = is_object($request) && isset($request->body) ? (string)$request->body : (string)$request;
+        shell_exec("echo " . escapeshellarg($body));
+        return $next($request);
+    }
+}

tests/dynamic_fixtures/middleware/laravel/vuln.php

@@ -0,0 +1,17 @@
+<?php
+// Phase 21 (Track M.3) — Laravel middleware vuln fixture.
+//
+// `Audit::handle($request, $next)` splices `$request->body` into a
+// shell command via `shell_exec` — classic Laravel middleware cmdi.
+
+// use Illuminate\\Http\\Request;
+// function handle($request, Closure $next)
+
+class Audit {
+    public function handle($request, $next) {
+        $body = is_object($request) && isset($request->body) ? (string)$request->body : (string)$request;
+        // SINK: tainted body concatenated into shell command.
+        shell_exec("echo " . $body);
+        return $next($request);
+    }
+}

tests/dynamic_fixtures/middleware/rails/benign.rb

@@ -0,0 +1,14 @@
+# Phase 21 — Rack middleware benign control.
+require 'shellwords'
+
+class AuditMiddleware
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    payload = (env['nyx.payload'] || env['QUERY_STRING']).to_s
+    system("echo " + Shellwords.escape(payload))
+    @app.call(env)
+  end
+end

tests/dynamic_fixtures/middleware/rails/vuln.rb

@@ -0,0 +1,17 @@
+# Phase 21 (Track M.3) — Rack/Rails middleware vuln fixture.
+#
+# `AuditMiddleware#call(env)` splices `env['nyx.payload']` into a shell
+# command — classic Rack-middleware cmdi shape.
+
+class AuditMiddleware
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    payload = env['nyx.payload'] || env['QUERY_STRING'].to_s
+    # SINK: tainted env value concatenated into shell command.
+    system("echo " + payload.to_s)
+    @app.call(env)
+  end
+end

tests/dynamic_fixtures/middleware/spring/Benign.java

@@ -0,0 +1,10 @@
+// Phase 21 — Spring middleware benign control.
+// implements HandlerInterceptor
+
+public class Benign {
+    public boolean preHandle(String payload) {
+        String safe = payload.replaceAll("[^A-Za-z0-9 _.-]", "_");
+        System.out.println("intercepted: " + safe);
+        return true;
+    }
+}

tests/dynamic_fixtures/middleware/spring/Vuln.java

@@ -0,0 +1,16 @@
+// Phase 21 (Track M.3) — Spring HandlerInterceptor middleware vuln
+// fixture.
+//
+// `Vuln#preHandle` splices the request body into a shell command via
+// Runtime.exec.  HandlerInterceptor is referenced as a substring
+// marker only.
+//
+// implements HandlerInterceptor
+
+public class Vuln {
+    public boolean preHandle(String payload) throws Exception {
+        // SINK: tainted payload concatenated into shell command.
+        Runtime.getRuntime().exec(new String[] { "/bin/sh", "-c", "echo " + payload });
+        return true;
+    }
+}