=== PHASE 1: repository setup === [INFO] Vulnerable commit: be1b52227e1ade9a3be9836391ade45eb1a26909 [INFO] Fixed commit: 4018e7b0c39825a5647fb17fc5607d72fb4bc0ce [INFO] Latest origin/master commit: f296d4ba14c5d512429219b2b7845673e0fe524d [INFO] Static patch check passed: vulnerable UI has /save-document sink; fixed/latest do not. === PHASE 2: Python dependency setup === [SETUP] Vulnerable ui_server module: /data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/worktrees/feast-vuln/sdk/python/feast/ui_server.py [SETUP] Fixed ui_server module: /data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/worktrees/feast-fixed/sdk/python/feast/ui_server.py === PHASE 3: Create isolated Feast feature repository === === PHASE 4: Vulnerable UI alternate-entrypoint proof === [SERVER] Started UI server PID=48182 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_variant/vuln_ui_writer.log code_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/worktrees/feast-vuln/sdk/python cwd=/ [EXPLOIT] Sending unauthenticated POST to vulnerable Feast Web UI /save-document {"success":true,"saved_to":"/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/artifacts/feature_repo_ui/ui_variant_static_artifacts-labels.json"} [EXPLOIT] Vulnerable UI endpoint wrote product-consumed config: /data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/artifacts/feature_repo_ui/ui_variant_static_artifacts-labels.json [SERVER] Started Feature Server PID=48246 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_variant/vuln_feature_consumer.log code_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/worktrees/feast-vuln/sdk/python cwd=/ [RCE] UI variant marker: FEAST_UI_SAVE_DOCUMENT_VARIANT_RCE id: cannot find name for group ID 969 uid=1000(vscode) gid=1000(vscode) groups=1000(vscode),969(969) / written_by=Feast Web UI /save-document executed_by=Feast feature_server load_static_artifacts === PHASE 5: Fixed UI negative control === [SERVER] Started UI server PID=48319 log=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/logs/vuln_variant/fixed_ui_writer.log code_path=/data/pruva/runs/bc1d60be-d7b6-4381-871c-499226292861/bundle/vuln_variant/worktrees/feast-fixed/sdk/python cwd=/ [FIXED] /save-document status on patched UI server: 405 === VARIANT STAGE COMPLETE === Confirmed alternate entrypoint: vulnerable Feast Web UI /save-document reaches the same arbitrary JSON write sink and RCE chain. Patch bypass: no. Fixed commit 4018e7b0c39825a5647fb17fc5607d72fb4bc0ce and latest f296d4ba14c5d512429219b2b7845673e0fe524d remove the document endpoints.