apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

Browse source
This commit is contained in:
pitboss 2026-05-20 18:05:31 -05:00
parent 00b0fbaea9
commit f9bd51c024
84 changed files with 5898 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

12
tests/dynamic_fixtures/migration/sequelize/benign.js Normal file
View file

@ -0,0 +1,12 @@
// Phase 21 — Sequelize benign control.
const _NYX_ADAPTER_MARKER = "queryInterface.createTable";
module.exports.up = async function (queryInterface, Sequelize) {
const name = (process.env.NYX_PAYLOAD || 'users').replace(/[^A-Za-z0-9_]/g, '_');
if (queryInterface && typeof queryInterface.addColumn === 'function') {
await queryInterface.addColumn(name, 'description', { type: 'TEXT' });
}
return 'addColumn(' + name + ')';
};
module.exports.down = async function () { return 'noop'; };

21
tests/dynamic_fixtures/migration/sequelize/vuln.js Normal file
View file

@ -0,0 +1,21 @@
// Phase 21 (Track M.3) — Sequelize migration vuln fixture.
//
// `up(queryInterface, Sequelize)` is the canonical migration entry
// point. This fixture builds a raw DDL string from an attacker-
// controlled table name and routes it through `queryInterface.sequelize.query`.
const _NYX_ADAPTER_MARKER = "queryInterface.createTable";
module.exports.up = async function (queryInterface, Sequelize) {
const name = process.env.NYX_PAYLOAD || 'users';
// SINK: tainted table name concatenated into raw DDL.
const sql = 'CREATE INDEX idx_' + name + ' ON users(name)';
if (queryInterface && queryInterface.sequelize && queryInterface.sequelize.query) {
await queryInterface.sequelize.query(sql);
}
return sql;
};
module.exports.down = async function (queryInterface, Sequelize) {
// benign in the down direction.
return 'DROP INDEX idx_users';
};