mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
20 lines
764 B
Rust
20 lines
764 B
Rust
/// SSRF — negative fixture.
|
|
///
|
|
/// Safe function: URL is fixed; user input is used only as a query parameter,
|
|
/// not as the URL origin.
|
|
/// Expected verdict: NotConfirmed.
|
|
/// Cap: SSRF Entry: `run(payload: &str)`
|
|
pub fn run(payload: &str) {
|
|
// Safe: payload is a query value, not the URL itself — origin is fixed.
|
|
let url = format!("file:///tmp/safe_data?q={}", payload);
|
|
|
|
println!("__NYX_SINK_HIT__");
|
|
let _ = std::io::Write::flush(&mut std::io::stdout());
|
|
|
|
// Extract the fixed path (no user control over scheme or host).
|
|
let path = "/tmp/safe_data";
|
|
match std::fs::read_to_string(path) {
|
|
Ok(content) => print!("{}", content),
|
|
Err(_) => println!("resource not available (expected in test): {}", url),
|
|
}
|
|
}
|