{
  "entrypoint_kind": "api_local_loopback",
  "entrypoint_detail": "HTTP GET to /debug/pprof/cmdline on the JuiceFS debug agent loopback port 127.0.0.1:6060 (started by cmd/main.go:336 for every subcommand unless --no-agent). Reachable only from the same host (verified loopback_only: connection refused from non-loopback host IP 172.20.0.11).",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": ["redis", "juicefs-gateway (debug agent enabled)"],
  "tested_versions": {
    "vulnerable": {
      "commit": "f60a90fc0ad52d2bb1f44f38a04d55044fc91d50",
      "binary": "/data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-vuln"
    },
    "fixed": {
      "commit": "a46979cdd4082217081ee99b931ddc53d038e47a",
      "binary": "/data/pruva/project-cache/7ad83e4b-d63b-4731-bc8c-ea459a1a8720/juicefs-fixed"
    }
  },
  "runtime_observations": {
    "vuln_metrics_pprof": "200",
    "vuln_debug_agent_cmdline": "200 (leaks s3cr3tPass on 127.0.0.1:6060)",
    "fixed_metrics_pprof": "404",
    "fixed_metrics_endpoint": "200 (no regression)",
    "fixed_debug_agent_cmdline": "200 (leaks s3cr3tPass on 127.0.0.1:6060 — variant on fixed version)",
    "fixed_debug_agent_other_pprof": {"heap": "200", "goroutine": "200", "allocs": "200", "threadcreate": "200", "block": "200", "/debug/pprof/": "301", "profile": "blocks (DoS surface)"},
    "fixed_debug_agent_nonloopback_reachability": "refused (loopback_only)",
    "fixed_no_agent": "debug agent not listening (disabled)"
  },
  "proof_artifacts": [
    "bundle/vuln_variant/reproduction_steps.sh",
    "bundle/vuln_variant/variant_runtime_result.json",
    "bundle/logs/vuln_variant/variant-run-6.log",
    "bundle/logs/vuln_variant/variant-run-7.log",
    "bundle/logs/vuln_variant/fixed-debugagent-cmdline.txt",
    "bundle/logs/vuln_variant/vuln-debugagent-cmdline.txt",
    "bundle/logs/vuln_variant/fixed_version.txt",
    "bundle/logs/vuln_variant/gateway-vuln.log",
    "bundle/logs/vuln_variant/gateway-fixed.log",
    "bundle/logs/vuln_variant/gateway-fixed-noagent.log"
  ],
  "notes": "Runtime-backed variant: on the FIXED commit a46979cd, the debug agent (cmd/main.go:336, nil handler -> DefaultServeMux) still exposes /debug/pprof/cmdline and leaks the Redis metadata credential. The remote metrics surface is correctly closed (404). The debug agent is localhost-only; --no-agent disables it. Idempotent: runs #6 and #7 both exit 0 with identical results."
}
