[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

2026-06-15 20:05:13 +02:00 · 2026-05-20 18:05:31 -05:00 · 2026-05-20 18:05:31 -05:00 · f9bd51c024
commit f9bd51c024
parent 00b0fbaea9
84 changed files with 5898 additions and 40 deletions
--- a/tests/dynamic_fixtures/middleware/rails/benign.rb
+++ b/tests/dynamic_fixtures/middleware/rails/benign.rb
@ -0,0 +1,14 @@
+# Phase 21 — Rack middleware benign control.
+require 'shellwords'
+
+class AuditMiddleware
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    payload = (env['nyx.payload'] || env['QUERY_STRING']).to_s
+    system("echo " + Shellwords.escape(payload))
+    @app.call(env)
+  end
+end
--- a/tests/dynamic_fixtures/middleware/rails/vuln.rb
+++ b/tests/dynamic_fixtures/middleware/rails/vuln.rb
@ -0,0 +1,17 @@
+# Phase 21 (Track M.3) — Rack/Rails middleware vuln fixture.
+#
+# `AuditMiddleware#call(env)` splices `env['nyx.payload']` into a shell
+# command — classic Rack-middleware cmdi shape.
+
+class AuditMiddleware
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    payload = env['nyx.payload'] || env['QUERY_STRING'].to_s
+    # SINK: tainted env value concatenated into shell command.
+    system("echo " + payload.to_s)
+    @app.call(env)
+  end
+end