mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
67 lines
2.3 KiB
Rust
67 lines
2.3 KiB
Rust
//! Java `Cap::XXE` payloads — `DocumentBuilderFactory` / `SAXParser`.
|
|
//!
|
|
//! Vuln payload: an XML document declaring an external entity that
|
|
//! the harness's instrumented `DocumentBuilder.parse` resolves and
|
|
//! substitutes inside `<data>` — the parser writes a
|
|
//! `ProbeKind::Xxe { entity_expanded: true }` record once it sees the
|
|
//! entity body materialise.
|
|
//!
|
|
//! Benign control: a well-formed XML document with no doctype
|
|
//! declaration so the parser has no entity to resolve. The harness's
|
|
//! instrumented parser writes `entity_expanded: false`, the oracle
|
|
//! does not fire, and the differential rule (§4.1) stays clean.
|
|
|
|
use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
|
|
use crate::dynamic::oracle::ProbePredicate;
|
|
|
|
pub const PAYLOADS: &[CuratedPayload] = &[
|
|
CuratedPayload {
|
|
bytes: br#"<?xml version="1.0"?>
|
|
<!DOCTYPE data [
|
|
<!ENTITY xxe SYSTEM "file:///etc/hostname">
|
|
]>
|
|
<data>&xxe;</data>"#,
|
|
label: "xxe-java-doctype-entity",
|
|
oracle: Oracle::SinkProbe {
|
|
predicates: &[ProbePredicate::XxeEntityExpanded {
|
|
require_expanded: true,
|
|
}],
|
|
},
|
|
is_benign: false,
|
|
provenance: PayloadProvenance::Curated,
|
|
since_corpus_version: 9,
|
|
deprecated_at_corpus_version: None,
|
|
fixture_paths: &[
|
|
"tests/dynamic_fixtures/xxe/java/Vuln.java",
|
|
],
|
|
oob_nonce_slot: false,
|
|
probe_predicates: &[ProbePredicate::XxeEntityExpanded {
|
|
require_expanded: true,
|
|
}],
|
|
benign_control: Some(PayloadRef {
|
|
label: "xxe-java-benign",
|
|
}),
|
|
no_benign_control_rationale: None,
|
|
},
|
|
CuratedPayload {
|
|
bytes: br#"<?xml version="1.0"?>
|
|
<data>hello</data>"#,
|
|
label: "xxe-java-benign",
|
|
oracle: Oracle::SinkProbe {
|
|
predicates: &[ProbePredicate::XxeEntityExpanded {
|
|
require_expanded: true,
|
|
}],
|
|
},
|
|
is_benign: true,
|
|
provenance: PayloadProvenance::Curated,
|
|
since_corpus_version: 9,
|
|
deprecated_at_corpus_version: None,
|
|
fixture_paths: &[
|
|
"tests/dynamic_fixtures/xxe/java/Benign.java",
|
|
],
|
|
oob_nonce_slot: false,
|
|
probe_predicates: &[],
|
|
benign_control: None,
|
|
no_benign_control_rationale: None,
|
|
},
|
|
];
|