mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
37 lines
1.6 KiB
Python
37 lines
1.6 KiB
Python
# Phase 08 (Track J.6) — Python raw-socket HEADER_INJECTION vuln fixture.
|
|
#
|
|
# Writes the response status line and headers directly to the wire via
|
|
# `self.wfile.write`, bypassing the framework-level CRLF validator that
|
|
# werkzeug / Flask / axum / Tomcat would otherwise interpose. A payload
|
|
# carrying `\r\nSet-Cookie: ...` splits the single Set-Cookie header
|
|
# into two on the wire, producing the canonical smuggled-second-header
|
|
# shape that `ProbeKind::HeaderWireFrame` is designed to catch.
|
|
#
|
|
# The harness (`src/dynamic/lang/python.rs::emit_header_injection_harness`)
|
|
# detects the `BaseHTTPRequestHandler` import in this file and routes
|
|
# through the tier-(b) wire-frame branch: boot `HTTPServer` on a
|
|
# loopback port, issue one `GET /` over a raw socket, read the bytes
|
|
# the handler wrote to the response socket, and emit them as a
|
|
# `ProbeKind::HeaderWireFrame` record.
|
|
from http.server import BaseHTTPRequestHandler
|
|
|
|
|
|
class VulnHandler(BaseHTTPRequestHandler):
|
|
# Set by the harness before each request. Bytes go straight onto
|
|
# the wire with no encoding pass.
|
|
cookie_value: bytes = b""
|
|
|
|
def do_GET(self):
|
|
body = b"ok\n"
|
|
raw = (
|
|
b"HTTP/1.0 200 OK\r\n"
|
|
b"Content-Length: " + str(len(body)).encode("ascii") + b"\r\n"
|
|
b"Set-Cookie: " + self.__class__.cookie_value + b"\r\n"
|
|
b"\r\n"
|
|
) + body
|
|
self.wfile.write(raw)
|
|
|
|
def log_message(self, *args, **kwargs):
|
|
# Silence default stderr logging so the harness captures only
|
|
# the probe + sink-hit sentinel.
|
|
return
|