mirror of
https://github.com/elicpeter/nyx.git
synced 2026-07-03 20:41:00 +02:00
[pitboss] phase 21: Track M.3 — ScheduledJob + GraphQLResolver + WebSocket + Middleware + Migration
This commit is contained in:
parent
00b0fbaea9
commit
f9bd51c024
84 changed files with 5898 additions and 40 deletions
9
tests/dynamic_fixtures/scheduled_job/celery/benign.py
Normal file
9
tests/dynamic_fixtures/scheduled_job/celery/benign.py
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
"""Phase 21 — Celery scheduled-task benign control."""
|
||||
import os
|
||||
import shlex
|
||||
|
||||
_NYX_ADAPTER_MARKER = "from celery import shared_task"
|
||||
|
||||
|
||||
def tick(payload):
|
||||
os.system("echo " + shlex.quote(str(payload)))
|
||||
15
tests/dynamic_fixtures/scheduled_job/celery/vuln.py
Normal file
15
tests/dynamic_fixtures/scheduled_job/celery/vuln.py
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
"""Phase 21 (Track M.3) — Celery scheduled-task vuln fixture.
|
||||
|
||||
`tick(payload)` is a Celery task that splices the payload bytes into a
|
||||
shell command via `os.system`. An attacker who can enqueue a task with
|
||||
arbitrary bytes can inject shell metacharacters.
|
||||
"""
|
||||
import os
|
||||
|
||||
_NYX_ADAPTER_MARKER = "from celery import shared_task"
|
||||
_NYX_DECORATOR_MARKER = "@shared_task"
|
||||
|
||||
|
||||
def tick(payload):
|
||||
# SINK: tainted payload concatenated into shell command.
|
||||
os.system("echo " + str(payload))
|
||||
9
tests/dynamic_fixtures/scheduled_job/cron/benign.js
Normal file
9
tests/dynamic_fixtures/scheduled_job/cron/benign.js
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
// Phase 21 — node-cron benign control.
|
||||
const _NYX_ADAPTER_MARKER = "require('node-cron')";
|
||||
const _NYX_SCHEDULE_MARKER = "cron.schedule('*/5 * * * *', tick)";
|
||||
|
||||
function tick(payload) {
|
||||
return 'tick: ' + JSON.stringify(payload);
|
||||
}
|
||||
|
||||
module.exports = { tick };
|
||||
17
tests/dynamic_fixtures/scheduled_job/cron/vuln.js
Normal file
17
tests/dynamic_fixtures/scheduled_job/cron/vuln.js
Normal file
|
|
@ -0,0 +1,17 @@
|
|||
// Phase 21 (Track M.3) — node-cron scheduled-job vuln fixture.
|
||||
//
|
||||
// `tick(payload)` is a job registered with `cron.schedule(...)` that
|
||||
// splices the payload into a child-process command. An attacker who
|
||||
// can stage payload bytes into the job's input source can inject
|
||||
// shell metacharacters.
|
||||
const _NYX_ADAPTER_MARKER = "require('node-cron')";
|
||||
const _NYX_SCHEDULE_MARKER = "cron.schedule('*/5 * * * *', tick)";
|
||||
|
||||
const { execSync } = require('child_process');
|
||||
|
||||
function tick(payload) {
|
||||
// SINK: tainted payload concatenated into shell command.
|
||||
return execSync('echo ' + String(payload)).toString();
|
||||
}
|
||||
|
||||
module.exports = { tick };
|
||||
8
tests/dynamic_fixtures/scheduled_job/quartz/Benign.java
Normal file
8
tests/dynamic_fixtures/scheduled_job/quartz/Benign.java
Normal file
|
|
@ -0,0 +1,8 @@
|
|||
// Phase 21 — Quartz benign control.
|
||||
// org.quartz.Job marker (substring scan only).
|
||||
|
||||
public class Benign {
|
||||
public void execute(String payload) {
|
||||
System.out.println("scheduled: " + payload.replaceAll("[^A-Za-z0-9 _.-]", "_"));
|
||||
}
|
||||
}
|
||||
16
tests/dynamic_fixtures/scheduled_job/quartz/Vuln.java
Normal file
16
tests/dynamic_fixtures/scheduled_job/quartz/Vuln.java
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
// Phase 21 (Track M.3) — Quartz scheduled-job vuln fixture.
|
||||
//
|
||||
// `Vuln` implements the Quartz `Job` interface (substring-marker only
|
||||
// — the real `org.quartz.Job` symbol is not on the JDK classpath).
|
||||
// `execute(JobExecutionContext)` splices the payload into a shell
|
||||
// command via `Runtime.exec`, the classic Quartz job cmdi shape.
|
||||
|
||||
// org.quartz.Job marker (substring scan only — not a real import).
|
||||
// @DisallowConcurrentExecution
|
||||
|
||||
public class Vuln {
|
||||
public void execute(String payload) throws Exception {
|
||||
// SINK: tainted payload concatenated into shell command.
|
||||
Runtime.getRuntime().exec(new String[] { "/bin/sh", "-c", "echo " + payload });
|
||||
}
|
||||
}
|
||||
10
tests/dynamic_fixtures/scheduled_job/sidekiq/benign.rb
Normal file
10
tests/dynamic_fixtures/scheduled_job/sidekiq/benign.rb
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
# Phase 21 — Sidekiq benign control.
|
||||
# include Sidekiq::Worker
|
||||
|
||||
require 'shellwords'
|
||||
|
||||
class TickWorker
|
||||
def perform(payload)
|
||||
system("echo " + Shellwords.escape(payload.to_s))
|
||||
end
|
||||
end
|
||||
20
tests/dynamic_fixtures/scheduled_job/sidekiq/vuln.rb
Normal file
20
tests/dynamic_fixtures/scheduled_job/sidekiq/vuln.rb
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
# Phase 21 (Track M.3) — Sidekiq scheduled-job vuln fixture.
|
||||
#
|
||||
# `TickWorker` includes the Sidekiq::Worker mixin (substring marker
|
||||
# only — the real Sidekiq gem is not loaded). `perform(payload)`
|
||||
# splices the payload into a shell command via Kernel#system, the
|
||||
# classic worker cmdi shape.
|
||||
|
||||
# include Sidekiq::Worker
|
||||
# sidekiq_options queue: :default
|
||||
|
||||
class TickWorker
|
||||
def self.included_modules
|
||||
[:'Sidekiq::Worker']
|
||||
end
|
||||
|
||||
def perform(payload)
|
||||
# SINK: tainted payload concatenated into shell command.
|
||||
system("echo " + payload.to_s)
|
||||
end
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue