apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

Browse source
This commit is contained in:
pitboss 2026-05-20 18:05:31 -05:00
parent 00b0fbaea9
commit f9bd51c024
84 changed files with 5898 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

10
tests/dynamic_fixtures/migration/prisma/benign.js Normal file
View file

@ -0,0 +1,10 @@
// Phase 21 — Prisma migration benign control.
const _NYX_ADAPTER_MARKER = "require('@prisma/client')";
async function up(name) {
const safe = String(name || process.env.NYX_PAYLOAD || 'users').replace(/[^A-Za-z0-9_]/g, '_');
const prisma = global.__nyx_prisma || { $executeRawUnsafe: async (s) => s };
return prisma.$executeRawUnsafe('CREATE INDEX idx_' + safe + ' ON users(name)');
}
module.exports = { up };

17
tests/dynamic_fixtures/migration/prisma/vuln.js Normal file
View file

@ -0,0 +1,17 @@
// Phase 21 (Track M.3) — Prisma migration vuln fixture.
//
// `up(name)` runs a raw DDL through `prisma.$executeRawUnsafe` —
// classic Prisma migration SQLi shape.
const _NYX_ADAPTER_MARKER = "require('@prisma/client')";
async function up(name) {
const target = name || process.env.NYX_PAYLOAD || 'users';
// The harness supplies a stubbed `prisma` shim via the synthetic
// migration entry path; we route through a module-level stub so the
// sink callee is statically present.
const prisma = global.__nyx_prisma || { $executeRawUnsafe: async (s) => s };
// SINK: tainted table name concatenated into raw DDL.
return prisma.$executeRawUnsafe('CREATE INDEX idx_' + target + ' ON users(name)');
}
module.exports = { up };