[08:29:43] Ensuring Python dependencies... [08:29:43] Dependencies ready. [08:29:43] /data/pruva/runs/300ca3f2-915a-47d5-84db-9fffaef2090f/bundle/artifacts/vt-fixed HEAD=54f944743efee7b9cbaaeafb5966c583d0d4ac66 [08:29:43] /data/pruva/runs/300ca3f2-915a-47d5-84db-9fffaef2090f/bundle/artifacts/vt-vuln HEAD=8cebccb9b301f962d11bf0fa8c6be9bf7d7e12f2 [08:29:43] Starting mock LLM on 127.0.0.1:19099 ... [08:29:44] ================ PHASE 1: Vulnerable v0.1.9 ================ [08:29:44] Starting API server (vuln) from /data/pruva/runs/300ca3f2-915a-47d5-84db-9fffaef2090f/bundle/artifacts/vt-vuln on 0.0.0.0:18899 ... [08:29:44] Waiting for API health (vuln)... [08:29:45] API healthy after 1s [08:29:45] vuln POST /sessions Host=rebind.attacker.test -> HTTP 201 [08:29:45] vuln POST /sessions Host=testserver -> HTTP 201 [08:29:45] vuln POST /sessions Host=localhost -> HTTP 201 [08:29:45] vuln session (attacker Host) = d78f6c722a7a [08:29:49] vuln RCE confirmed (attacker Host): RCE_CONFIRMED [08:29:52] ================ PHASE 2: Fixed v0.1.10 (default config) ================ [08:29:52] Starting API server (fixed-default) from /data/pruva/runs/300ca3f2-915a-47d5-84db-9fffaef2090f/bundle/artifacts/vt-fixed on 0.0.0.0:18899 ... [08:29:52] Waiting for API health (fixed-default)... [08:29:53] API healthy after 1s [08:29:53] fixed-default POST /sessions Host=rebind.attacker.test -> HTTP 403 [08:29:53] fixed-default POST /sessions Host=testserver -> HTTP 201 [08:29:53] fixed-default POST /sessions Host=localhost -> HTTP 201 [08:29:53] fixed-default: attacker Host=403 (expect 403), testserver Host=201 (201 = auth-bypass gap) [08:29:53] *** PARTIAL BYPASS: Host=testserver auth-bypasses on fixed v0.1.10 (HTTP 201) *** [08:29:53] fixed-default testserver session = f1721cfb12e3 [08:29:56] fixed-default testserver: NO RCE (bash tool gated by VIBE_TRADING_ENABLE_SHELL_TOOLS opt-in) [08:29:59] ================ PHASE 3: Fixed v0.1.10 (opted-in shell tools) ================ [08:29:59] Starting API server (fixed-optedin) from /data/pruva/runs/300ca3f2-915a-47d5-84db-9fffaef2090f/bundle/artifacts/vt-fixed on 0.0.0.0:18899 ... [08:29:59] Waiting for API health (fixed-optedin)... [08:30:00] API healthy after 1s [08:30:00] fixed-optedin attacker Host -> HTTP 403 [08:30:00] fixed-optedin POST /sessions Host=testserver -> HTTP 201 [08:30:00] fixed-optedin testserver session = b38edbc4a1e4 [08:30:04] *** fixed-optedin testserver RCE CONFIRMED: RCE_CONFIRMED *** [08:30:08] ================ VERDICT ================ [08:30:08] testserver auth bypass on fixed (default): yes [08:30:08] testserver RCE on fixed (default): no [08:30:08] testserver RCE on fixed (opted-in): yes [08:30:08] full DNS-rebinding-deliverable bypass: no [08:30:08] RESULT: no full DNS-rebinding RCE bypass on fixed version; testserver partial auth-bypass=yes, opted-in RCE=yes -> exit 1 [08:30:08] Cleaning up...