[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration

This commit is contained in:
pitboss 2026-05-20 18:05:31 -05:00
parent 00b0fbaea9
commit f9bd51c024
84 changed files with 5898 additions and 40 deletions

View file

@ -0,0 +1,9 @@
"""Phase 21 — Celery scheduled-task benign control."""
import os
import shlex
_NYX_ADAPTER_MARKER = "from celery import shared_task"
def tick(payload):
os.system("echo " + shlex.quote(str(payload)))

View file

@ -0,0 +1,15 @@
"""Phase 21 (Track M.3) — Celery scheduled-task vuln fixture.
`tick(payload)` is a Celery task that splices the payload bytes into a
shell command via `os.system`. An attacker who can enqueue a task with
arbitrary bytes can inject shell metacharacters.
"""
import os
_NYX_ADAPTER_MARKER = "from celery import shared_task"
_NYX_DECORATOR_MARKER = "@shared_task"
def tick(payload):
# SINK: tainted payload concatenated into shell command.
os.system("echo " + str(payload))

View file

@ -0,0 +1,9 @@
// Phase 21 — node-cron benign control.
const _NYX_ADAPTER_MARKER = "require('node-cron')";
const _NYX_SCHEDULE_MARKER = "cron.schedule('*/5 * * * *', tick)";
function tick(payload) {
return 'tick: ' + JSON.stringify(payload);
}
module.exports = { tick };

View file

@ -0,0 +1,17 @@
// Phase 21 (Track M.3) — node-cron scheduled-job vuln fixture.
//
// `tick(payload)` is a job registered with `cron.schedule(...)` that
// splices the payload into a child-process command. An attacker who
// can stage payload bytes into the job's input source can inject
// shell metacharacters.
const _NYX_ADAPTER_MARKER = "require('node-cron')";
const _NYX_SCHEDULE_MARKER = "cron.schedule('*/5 * * * *', tick)";
const { execSync } = require('child_process');
function tick(payload) {
// SINK: tainted payload concatenated into shell command.
return execSync('echo ' + String(payload)).toString();
}
module.exports = { tick };

View file

@ -0,0 +1,8 @@
// Phase 21 Quartz benign control.
// org.quartz.Job marker (substring scan only).
public class Benign {
public void execute(String payload) {
System.out.println("scheduled: " + payload.replaceAll("[^A-Za-z0-9 _.-]", "_"));
}
}

View file

@ -0,0 +1,16 @@
// Phase 21 (Track M.3) Quartz scheduled-job vuln fixture.
//
// `Vuln` implements the Quartz `Job` interface (substring-marker only
// the real `org.quartz.Job` symbol is not on the JDK classpath).
// `execute(JobExecutionContext)` splices the payload into a shell
// command via `Runtime.exec`, the classic Quartz job cmdi shape.
// org.quartz.Job marker (substring scan only not a real import).
// @DisallowConcurrentExecution
public class Vuln {
public void execute(String payload) throws Exception {
// SINK: tainted payload concatenated into shell command.
Runtime.getRuntime().exec(new String[] { "/bin/sh", "-c", "echo " + payload });
}
}

View file

@ -0,0 +1,10 @@
# Phase 21 — Sidekiq benign control.
# include Sidekiq::Worker
require 'shellwords'
class TickWorker
def perform(payload)
system("echo " + Shellwords.escape(payload.to_s))
end
end

View file

@ -0,0 +1,20 @@
# Phase 21 (Track M.3) — Sidekiq scheduled-job vuln fixture.
#
# `TickWorker` includes the Sidekiq::Worker mixin (substring marker
# only — the real Sidekiq gem is not loaded). `perform(payload)`
# splices the payload into a shell command via Kernel#system, the
# classic worker cmdi shape.
# include Sidekiq::Worker
# sidekiq_options queue: :default
class TickWorker
def self.included_modules
[:'Sidekiq::Worker']
end
def perform(payload)
# SINK: tainted payload concatenated into shell command.
system("echo " + payload.to_s)
end
end