mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-06 19:35:13 +02:00
82f18184b1
* feat: Add const_bound_vars tracking to prevent false positives in ownership checks
* feat: Introduce field interner and typed bounded vars for enhanced type tracking
* feat: Add typed_call_receivers and typed_bounded_dto_fields for enhanced type tracking
* feat: Centralize method name extraction with bare_method_name helper
* feat: Implement Phase-6 hierarchy fan-out for runtime virtual dispatch
* feat: Enhance C++ taint tracking with additional container operations and inline method resolution
* feat: Introduce field-sensitive points-to analysis for enhanced resource tracking
* feat: Implement Pointer-Phase 6 subscript handling for enhanced container analysis
* test: Add comprehensive tests for JavaScript control flow constructs and lattice operations
* docs: Update advanced analysis documentation with field-sensitive points-to and hierarchy fan-out details
* test: Add comprehensive tests for lattice algebra laws and SSA edge cases
* feat: Add destructured session user handling and safe user ID access patterns
* feat: Implement row-population reverse-walk for enhanced authorization checks
* feat: Enhance authorization checks with local alias chain for self-actor types
* feat: Introduce ActiveRecord query safety checks and enhance snippet extraction
* feat: Implement chained method call inner-gate rebinding for SSRF prevention
* feat: Add observability and error modules, enhance debug functionality, and implement theme context
* feat: Remove Auth Analysis page and update navigation to redirect to Explorer
* feat: Optimize SSA lowering by sharing results between taint engine and artifact extractor
* feat: Optimize SSA lowering by sharing results between taint engine and artifact extractor
* feat: Reset path-safe-suppressed spans before lowering to maintain analysis integrity
* fix(ssa): ungate debug_assert_bfs_ordering for release-tests build
The helper at src/ssa/lower.rs was gated `#[cfg(debug_assertions)]` while
the unit test at the bottom of the file was gated only `#[cfg(test)]`.
Since `cfg(test)` is set in release builds with `--tests` but
`cfg(debug_assertions)` is not, `cargo build --release --tests` failed
with E0425. Removing the gate fixes the build; the body is `debug_assert!`
only, so the helper is free in release. Also drop the gate at the call
site to avoid a `dead_code` warning when the lib is built without
`--tests`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* test(closure-capture): flip JS/TS fixtures to required-finding
The JS and TS closure-capture fixtures pinned the old broken behaviour
via `forbidden_findings: [{ "id_prefix": "taint-" }]`. The engine now
correctly traces taint through the closure boundary (env source captured
by an arrow function, sunk via `child_process.exec` inside the body), so
the formerly-forbidden finding is a true positive.
Match the Python sibling's shape — `required_findings` with
`id_prefix` + `min_count` plus a small `noise_budget` — and rewrite the
companion READMEs and the phase8_fragility_tests doc-comments from
"known gap" to "regression guard".
Verified:
- cargo test --release --test phase8_fragility_tests → 8/8 pass
- cargo test --release --lib bfs_assertion → pass
- corpus benchmark F1 = 0.9976 (TP=205, FP=1, FN=0) — unchanged
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
* feat: Add OWASP mapping and baseline mutation hooks for enhanced security analysis
* feat: Introduce health module and enhance health score computation with calibration tests
* feat: Add expectations configuration and cleanup .gitignore for log files
* feat: Implement theme selection and enhance settings panel for triage sync
* feat: Suppress false positives for strcpy calls with literal sources in AST
* feat: Update analyse_function_ssa to return body CFG for accurate analysis
* feat: Add bug report and feature request templates for improved issue tracking
* feat: removed dev scripts
* feat: update README.md for clarity and consistency in fixture descriptions
* feat: removed dev docs
* feat: clean up error handling and UI elements for improved user experience
* feat: adjust button sizes in HeaderBar for better UI consistency
* feat: enhance taint analysis with additional context for sanitizer and taint findings
* cargo fmt
* prettier
* refactor: simplify conditional checks and improve code readability in AST and screenshot capture scripts
* feat: add script to frame PNG screenshots with brand gradient
* feat: add fuzzing support with new targets and CI workflows
* refactor: streamline match expressions and improve formatting in CLI and output handling
* feat: enhance configuration display with detailed output options
* feat: stage demo configuration for improved CLI screenshot output
* feat: expose merge_configs function for user-configurable settings
* refactor: simplify code structure and improve readability in config handling
* refactor: improve descriptions for vulnerability patterns in various languages
* feat: update MIT License section with additional usage details and copyright information
* feat: update screenshots
* refactor: update build process and paths for frontend assets
* feat: add cross-file taint fuzzing target and supporting dictionary
* refactor: clean up formatting and comments in fuzz configuration and example files
* refactor: remove outdated comments and clean up CI configuration files
* chore: update changelog dates and improve formatting in documentation
* refactor: update Cargo.toml and CI configuration for improved packaging and build process
* refactor: enhance quote-stripping logic to prevent panics and add regression tests
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
253 lines
3.7 KiB
Text
253 lines
3.7 KiB
Text
# libFuzzer dictionary for the Nyx fuzz targets.
|
|
#
|
|
# Each entry is a quoted string libFuzzer can splice into mutations. We bias
|
|
# toward tokens that unlock new tree-sitter / CFG / taint paths across the
|
|
# 10 supported languages, plus the synthetic helper names registered by
|
|
# `cross_file_taint` so call-site mutations resolve against `GlobalSummaries`
|
|
# instead of bouncing off as unknown calls.
|
|
#
|
|
# Format: one entry per line, `name="..."` or `"..."`. Lines starting with
|
|
# `#` are comments. C-style escapes (`\xNN`, `\n`, `\\`, `\"`) are honored.
|
|
|
|
# ── Punctuation / structural tokens ────────────────────────────────────
|
|
"{"
|
|
"}"
|
|
"("
|
|
")"
|
|
"["
|
|
"]"
|
|
";"
|
|
","
|
|
"."
|
|
"::"
|
|
"->"
|
|
"=>"
|
|
":="
|
|
":"
|
|
"="
|
|
"=="
|
|
"!="
|
|
"<="
|
|
">="
|
|
"&&"
|
|
"||"
|
|
"+"
|
|
"-"
|
|
"*"
|
|
"/"
|
|
"%"
|
|
"<"
|
|
">"
|
|
"!"
|
|
"&"
|
|
"|"
|
|
"^"
|
|
"~"
|
|
"?"
|
|
"#"
|
|
"@"
|
|
|
|
# ── Cross-language keywords ────────────────────────────────────────────
|
|
"if"
|
|
"else"
|
|
"elif"
|
|
"while"
|
|
"for"
|
|
"do"
|
|
"return"
|
|
"break"
|
|
"continue"
|
|
"switch"
|
|
"case"
|
|
"default"
|
|
"true"
|
|
"false"
|
|
"null"
|
|
"nil"
|
|
"None"
|
|
"undefined"
|
|
"void"
|
|
"int"
|
|
"float"
|
|
"double"
|
|
"char"
|
|
"bool"
|
|
"string"
|
|
"var"
|
|
"let"
|
|
"const"
|
|
"static"
|
|
"public"
|
|
"private"
|
|
"protected"
|
|
"new"
|
|
"this"
|
|
"self"
|
|
"super"
|
|
"class"
|
|
"struct"
|
|
"enum"
|
|
"interface"
|
|
"trait"
|
|
"impl"
|
|
"module"
|
|
"package"
|
|
"import"
|
|
"from"
|
|
"use"
|
|
"as"
|
|
"function"
|
|
"def"
|
|
"fn"
|
|
"func"
|
|
"sub"
|
|
"end"
|
|
"begin"
|
|
"try"
|
|
"catch"
|
|
"except"
|
|
"finally"
|
|
"raise"
|
|
"throw"
|
|
"throws"
|
|
"async"
|
|
"await"
|
|
"yield"
|
|
"lambda"
|
|
"match"
|
|
"with"
|
|
"in"
|
|
"of"
|
|
"is"
|
|
"not"
|
|
"and"
|
|
"or"
|
|
|
|
# ── Common literals / format strings ───────────────────────────────────
|
|
"\"\""
|
|
"\"x\""
|
|
"\"%s\""
|
|
"\"%d\""
|
|
"\"%v\""
|
|
"\"{}\""
|
|
"`x`"
|
|
"'x'"
|
|
"0"
|
|
"1"
|
|
"-1"
|
|
"0x0"
|
|
"0xff"
|
|
|
|
# ── Security-flavored function names (sources, sinks, sanitizers) ──────
|
|
"exec"
|
|
"eval"
|
|
"system"
|
|
"popen"
|
|
"shell_exec"
|
|
"passthru"
|
|
"spawn"
|
|
"execSync"
|
|
"execFile"
|
|
"Runtime.getRuntime"
|
|
"Process"
|
|
"Command"
|
|
"query"
|
|
"execute"
|
|
"executeQuery"
|
|
"prepare"
|
|
"raw_query"
|
|
"mysql_query"
|
|
"mysqli_query"
|
|
"pg_query"
|
|
"sqlite_query"
|
|
"unserialize"
|
|
"pickle.loads"
|
|
"yaml.load"
|
|
"json.loads"
|
|
"readObject"
|
|
"deserialize"
|
|
"escape"
|
|
"escapeshellarg"
|
|
"escapeshellcmd"
|
|
"htmlspecialchars"
|
|
"htmlentities"
|
|
"escape_html"
|
|
"sanitize"
|
|
"strip_tags"
|
|
"prepareStatement"
|
|
"PreparedStatement"
|
|
"parseFromString"
|
|
"setAttribute"
|
|
"innerHTML"
|
|
"document.write"
|
|
"window.location"
|
|
"location.href"
|
|
|
|
# ── Sources (taint origins) ────────────────────────────────────────────
|
|
"req.body"
|
|
"req.query"
|
|
"req.params"
|
|
"request.GET"
|
|
"request.POST"
|
|
"request.args"
|
|
"request.form"
|
|
"$_GET"
|
|
"$_POST"
|
|
"$_REQUEST"
|
|
"$_COOKIE"
|
|
"params"
|
|
"argv"
|
|
"stdin"
|
|
"getenv"
|
|
"env::var"
|
|
"os.environ"
|
|
"ENV"
|
|
"Console.ReadLine"
|
|
"input"
|
|
"raw_input"
|
|
"fgets"
|
|
"scanf"
|
|
"gets"
|
|
"http.Get"
|
|
"http.Post"
|
|
"reqwest::get"
|
|
"fetch"
|
|
"axios.get"
|
|
"file_get_contents"
|
|
"readFileSync"
|
|
|
|
# ── Common injection payload markers ───────────────────────────────────
|
|
"<script>"
|
|
"</script>"
|
|
"javascript:"
|
|
"onerror="
|
|
"onload="
|
|
"' OR '1'='1"
|
|
"'; DROP TABLE"
|
|
"UNION SELECT"
|
|
"--"
|
|
"/*"
|
|
"*/"
|
|
"../"
|
|
"..\\\\"
|
|
"/etc/passwd"
|
|
"file://"
|
|
"http://169.254.169.254"
|
|
"ldap://"
|
|
|
|
# ── Synthetic helpers used by `cross_file_taint` ───────────────────────
|
|
"nyx_taint_source"
|
|
"nyx_sanitize"
|
|
"nyx_dangerous_sink"
|
|
"nyx_pass_through"
|
|
|
|
# ── Tricky parser edge cases ───────────────────────────────────────────
|
|
"\"\\xff\\xff\""
|
|
"\"\\u0000\""
|
|
"\"\\n\\r\\t\""
|
|
"\"\\xc3\\x28\""
|
|
"<?php"
|
|
"?>"
|
|
"<?xml"
|
|
"#!/bin/sh"
|
|
"\"\\\\\""
|