[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

2026-06-15 20:05:13 +02:00 · 2026-05-20 18:05:31 -05:00 · 2026-05-20 18:05:31 -05:00 · f9bd51c024
commit f9bd51c024
parent 00b0fbaea9
84 changed files with 5898 additions and 40 deletions
--- a/tests/dynamic_fixtures/migration/flask/benign.py
+++ b/tests/dynamic_fixtures/migration/flask/benign.py
@ -0,0 +1,8 @@
+"""Phase 21 — Alembic benign control."""
+_NYX_ADAPTER_MARKER = "from alembic import op"
+revision = "deadbeef0001"
+
+
+def upgrade(column_name="email"):
+    safe = "".join(c for c in str(column_name) if c.isalnum() or c == "_")
+    return "ALTER TABLE users ADD COLUMN " + safe + " TEXT"
--- a/tests/dynamic_fixtures/migration/flask/vuln.py
+++ b/tests/dynamic_fixtures/migration/flask/vuln.py
@ -0,0 +1,22 @@
+"""Phase 21 (Track M.3) — Flask-Migrate / Alembic migration vuln.
+
+Alembic revisions declare an `upgrade()` function that issues DDL
+through `op.execute(...)`.  The vuln fixture splices a tainted column
+name into the statement via raw string concat.
+"""
+_NYX_ADAPTER_MARKER = "from alembic import op"
+revision = "abc123def4"
+down_revision = None
+
+
+class _Op:
+    def execute(self, sql):
+        print("ALEMBIC_SQL:", sql)
+
+
+op = _Op()
+
+
+def upgrade(column_name="email"):
+    # SINK: tainted column name spliced into raw DDL.
+    op.execute("ALTER TABLE users ADD COLUMN " + str(column_name) + " TEXT")