[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

2026-06-18 20:15:14 +02:00 · 2026-05-20 18:05:31 -05:00 · 2026-05-20 18:05:31 -05:00 · f9bd51c024
commit f9bd51c024
parent 00b0fbaea9
84 changed files with 5898 additions and 40 deletions
--- a/tests/dynamic_fixtures/migration/rails/benign.rb
+++ b/tests/dynamic_fixtures/migration/rails/benign.rb
@ -0,0 +1,12 @@
+# Phase 21 — Rails migration benign control.
+# class AddIndex < ActiveRecord::Migration[7.0]
+
+class AddIndex
+  def up
+    add_column :users, :name, :string
+  end
+
+  def add_column(table, name, type)
+    puts "MIGRATION_ADD_COLUMN: #{table}.#{name} :: #{type}"
+  end
+end
--- a/tests/dynamic_fixtures/migration/rails/vuln.rb
+++ b/tests/dynamic_fixtures/migration/rails/vuln.rb
@ -0,0 +1,23 @@
+# Phase 21 (Track M.3) — Rails ActiveRecord migration vuln fixture.
+#
+# `AddIndex#up` invokes `execute(...)` with a raw, attacker-controlled
+# table name concatenated into DDL — classic Rails migration SQLi.
+
+# class AddIndex < ActiveRecord::Migration[7.0]
+
+class AddIndex
+  attr_accessor :table_name
+
+  def up
+    name = @table_name || ENV['NYX_PAYLOAD'].to_s
+    # SINK: tainted table name spliced into raw DDL.
+    execute("CREATE INDEX idx_#{name} ON users(name)")
+  end
+
+  def execute(sql)
+    # The harness only asserts that execute() is invoked with the
+    # tainted SQL string.  A real ActiveRecord::Base.connection would
+    # forward to the DB driver.
+    puts "MIGRATION_SQL: #{sql}"
+  end
+end