strix-agent 0.1.18__py3-none-any.whl → 0.3.1__py3-none-any.whl

strix/prompts/vulnerabilities/insecure_file_uploads.jinja

@@ -0,0 +1,188 @@
+<insecure_file_uploads_guide>
+<title>INSECURE FILE UPLOADS</title>
+
+<critical>Upload surfaces are high risk: server-side execution (RCE), stored XSS, malware distribution, storage takeover, and DoS. Modern stacks mix direct-to-cloud uploads, background processors, and CDNs—authorization and validation must hold across every step.</critical>
+
+<scope>
+- Web/mobile/API uploads, direct-to-cloud (S3/GCS/Azure) presigned flows, resumable/multipart protocols (tus, S3 MPU)
+- Image/document/media pipelines (ImageMagick/GraphicsMagick, Ghostscript, ExifTool, PDF engines, office converters)
+- Admin/bulk importers, archive uploads (zip/tar), report/template uploads, rich text with attachments
+- Serving paths: app directly, object storage, CDN, email attachments, previews/thumbnails
+</scope>
+
+<methodology>
+1. Map the pipeline: client → ingress (edge/app/gateway) → storage → processors (thumb, OCR, AV, CDR) → serving (app/storage/CDN). Note where validation and auth occur.
+2. Identify allowed types, size limits, filename rules, storage keys, and who serves the content. Collect baseline uploads per type and capture resulting URLs and headers.
+3. Exercise bypass families systematically: extension games, MIME/content-type, magic bytes, polyglots, metadata payloads, archive structure, chunk/finalize differentials.
+4. Validate execution and rendering: can uploaded content execute on server or client? Confirm with minimal PoCs and headers analysis.
+</methodology>
+
+<discovery_techniques>
+<surface_map>
+- Endpoints/fields: upload, file, avatar, image, attachment, import, media, document, template
+- Direct-to-cloud params: key, bucket, acl, Content-Type, Content-Disposition, x-amz-meta-*, cache-control
+- Resumable APIs: create/init → upload/chunk → complete/finalize; check if metadata/headers can be altered late
+- Background processors: thumbnails, PDF→image, virus scan queues; identify timing and status transitions
+</surface_map>
+
+<capability_probes>
+- Small probe files of each claimed type; diff resulting Content-Type, Content-Disposition, and X-Content-Type-Options on download
+- Magic bytes vs extension: JPEG/GIF/PNG headers; mismatches reveal reliance on extension or MIME sniffing
+- SVG/HTML probe: do they render inline (text/html or image/svg+xml) or download (attachment)?
+- Archive probe: simple zip with nested path traversal entries and symlinks to detect extraction rules
+</capability_probes>
+</discovery_techniques>
+
+<detection_channels>
+<server_execution>
+- Web shell execution (language dependent), config/handler uploads (.htaccess, .user.ini, web.config) enabling execution
+- Interpreter-side template/script evaluation during conversion (ImageMagick/Ghostscript/ExifTool)
+</server_execution>
+
+<client_execution>
+- Stored XSS via SVG/HTML/JS if served inline without correct headers; PDF JavaScript; office macros in previewers
+</client_execution>
+
+<header_and_render>
+- Missing X-Content-Type-Options: nosniff enabling browser sniff to script
+- Content-Type reflection from upload vs server-set; Content-Disposition: inline vs attachment
+</header_and_render>
+
+<process_side_effects>
+- AV/CDR race or absence; background job status allows access before scan completes; password-protected archives bypass scanning
+</process_side_effects>
+</detection_channels>
+
+<core_payloads>
+<web_shells_and_configs>
+- PHP: GIF polyglot (starts with GIF89a) followed by <?php echo 1; ?>; place where PHP is executed
+- .htaccess to map extensions to code (AddType/AddHandler); .user.ini (auto_prepend/append_file) for PHP-FPM
+- ASP/JSP equivalents where supported; IIS web.config to enable script execution
+</web_shells_and_configs>
+
+<stored_xss>
+- SVG with onload/onerror handlers served as image/svg+xml or text/html
+- HTML file with script when served as text/html or sniffed due to missing nosniff
+</stored_xss>
+
+<mime_magic_polyglots>
+- Double extensions: avatar.jpg.php, report.pdf.html; mixed casing: .pHp, .PhAr
+- Magic-byte spoofing: valid JPEG header then embedded script; verify server uses content inspection, not extensions alone
+</mime_magic_polyglots>
+
+<archive_attacks>
+- Zip Slip: entries with ../../ to escape extraction dir; symlink-in-zip pointing outside target; nested zips
+- Zip bomb: extreme compression ratios (e.g., 42.zip) to exhaust resources in processors
+</archive_attacks>
+
+<toolchain_exploits>
+- ImageMagick/GraphicsMagick legacy vectors (policy.xml may mitigate): crafted SVG/PS/EPS invoking external commands or reading files
+- Ghostscript in PDF/PS with file operators (%pipe%)
+- ExifTool metadata parsing bugs; overly large or crafted EXIF/IPTC/XMP fields
+</toolchain_exploits>
+
+<cloud_storage_vectors>
+- S3/GCS presigned uploads: attacker controls Content-Type/Disposition; set text/html or image/svg+xml and inline rendering
+- Public-read ACL or permissive bucket policies expose uploads broadly; object key injection via user-controlled path prefixes
+- Signed URL reuse and stale URLs; serving directly from bucket without attachment + nosniff headers
+</cloud_storage_vectors>
+</core_payloads>
+
+<advanced_techniques>
+<resumable_multipart>
+- Change metadata between init and complete (e.g., swap Content-Type/Disposition at finalize)
+- Upload benign chunks, then swap last chunk or complete with different source if server trusts client-side digests only
+</resumable_multipart>
+
+<filename_and_path>
+- Unicode homoglyphs, trailing dots/spaces, device names, reserved characters to bypass validators and filesystem rules
+- Null-byte truncation on legacy stacks; overlong paths; case-insensitive collisions overwriting existing files
+</filename_and_path>
+
+<processing_races>
+- Request file immediately after upload but before AV/CDR completes; or during derivative creation to get unprocessed content
+- Trigger heavy conversions (large images, deep PDFs) to widen race windows
+</processing_races>
+
+<metadata_abuse>
+- Oversized EXIF/XMP/IPTC blocks to trigger parser flaws; payloads in document properties of Office/PDF rendered by previewers
+</metadata_abuse>
+
+<header_manipulation>
+- Force inline rendering with Content-Type + inline Content-Disposition; test browsers with and without nosniff
+- Cache poisoning via CDN with keys missing Vary on Content-Type/Disposition
+</header_manipulation>
+</advanced_techniques>
+
+<filter_bypasses>
+<validation_gaps>
+- Client-side only checks; relying on JS/MIME provided by browser; trusting multipart boundary part headers blindly
+- Extension allowlists without server-side content inspection; magic-bytes only without full parsing
+</validation_gaps>
+
+<evasion_tricks>
+- Double extensions, mixed case, hidden dotfiles, extra dots (file..png), long paths with allowed suffix
+- Multipart name vs filename vs path discrepancies; duplicate parameters and late parameter precedence
+</evasion_tricks>
+</filter_bypasses>
+
+<special_contexts>
+<rich_text_editors>
+- RTEs allow image/attachment uploads and embed links; verify sanitization and serving headers for embedded content
+</rich_text_editors>
+
+<mobile_clients>
+- Mobile SDKs may send nonstandard MIME or metadata; servers sometimes trust client-side transformations or EXIF orientation
+</mobile_clients>
+
+<serverless_and_cdn>
+- Direct-to-bucket uploads with Lambda/Workers post-processing; verify that security decisions are not delegated to frontends
+- CDN caching of uploaded content; ensure correct cache keys and headers (attachment, nosniff)
+</serverless_and_cdn>
+</special_contexts>
+
+<parser_hardening>
+- Validate on server: strict allowlist by true type (parse enough to confirm), size caps, and structural checks (dimensions, page count)
+- Strip active content: convert SVG→PNG; remove scripts/JS from PDF; disable macros; normalize EXIF; consider CDR for risky types
+- Store outside web root; serve via application or signed, time-limited URLs with Content-Disposition: attachment and X-Content-Type-Options: nosniff
+- For cloud: private buckets, per-request signed GET, enforce Content-Type/Disposition on GET responses from your app/gateway
+- Disable execution in upload paths; ignore .htaccess/.user.ini; sanitize keys to prevent path injections; randomize filenames
+- AV + CDR: scan synchronously when possible; quarantine until verdict; block password-protected archives or process in sandbox
+</parser_hardening>
+
+<validation>
+1. Demonstrate execution or rendering of active content: web shell reachable, or SVG/HTML executing JS when viewed.
+2. Show filter bypass: upload accepted despite restrictions (extension/MIME/magic mismatch) with evidence on retrieval.
+3. Prove header weaknesses: inline rendering without nosniff or missing attachment; present exact response headers.
+4. Show race or pipeline gap: access before AV/CDR; extraction outside intended directory; derivative creation from malicious input.
+5. Provide reproducible steps: request/response for upload and subsequent access, with minimal PoCs.
+</validation>
+
+<false_positives>
+- Upload stored but never served back; or always served as attachment with strict nosniff
+- Converters run in locked-down sandboxes with no external IO and no script engines; no path traversal on archive extraction
+- AV/CDR blocks the payload and quarantines; access before scan is impossible by design
+</false_positives>
+
+<impact>
+- Remote code execution on application stack or media toolchain host
+- Persistent cross-site scripting and session/token exfiltration via served uploads
+- Malware distribution via public storage/CDN; brand/reputation damage
+- Data loss or corruption via overwrite/zip slip; service degradation via zip bombs or oversized assets
+</impact>
+
+<pro_tips>
+1. Keep PoCs minimal: tiny SVG/HTML for XSS, a single-line PHP/ASP where relevant, and benign magic-byte polyglots.
+2. Always capture download response headers and final MIME from the server/CDN; that decides browser behavior.
+3. Prefer transforming risky formats to safe renderings (SVG→PNG) rather than attempting complex sanitization.
+4. In presigned flows, constrain all headers and object keys server-side; ignore client-supplied ACL and metadata.
+5. For archives, extract in a chroot/jail with explicit allowlist; drop symlinks and reject traversal.
+6. Test finalize/complete steps in resumable flows; many validations only run on init, not at completion.
+7. Verify background processors with EICAR and tiny polyglots; ensure quarantine gates access until safe.
+8. When you cannot get execution, aim for stored XSS or header-driven script execution; both are impactful.
+9. Validate that CDNs honor attachment/nosniff and do not override Content-Type/Disposition.
+10. Document full pipeline behavior per asset type; defenses must match actual processors and serving paths.
+</pro_tips>
+
+<remember>Secure uploads are a pipeline property. Enforce strict type, size, and header controls; transform or strip active content; never execute or inline-render untrusted uploads; and keep storage private with controlled, signed access.</remember>
+</insecure_file_uploads_guide>

strix/prompts/vulnerabilities/mass_assignment.jinja

@@ -0,0 +1,141 @@
+<mass_assignment_guide>
+<title>MASS ASSIGNMENT</title>
+
+<critical>Mass assignment binds client-supplied fields directly into models/DTOs without field-level allowlists. It commonly leads to privilege escalation, ownership changes, and unauthorized state transitions in modern APIs and GraphQL.</critical>
+
+<scope>
+- REST/JSON, GraphQL inputs, form-encoded and multipart bodies
+- Model binding in controllers/resolvers; ORM create/update helpers
+- Writable nested relations, sparse/patch updates, bulk endpoints
+</scope>
+
+<methodology>
+1. Identify create/update endpoints and GraphQL mutations. Capture full server responses to observe returned fields.
+2. Build a candidate list of sensitive attributes per resource: role/isAdmin/permissions, ownerId/accountId/tenantId, status/state, plan/price, limits/quotas, feature flags, verification flags, balance/credits.
+3. Inject candidates alongside legitimate updates across transports and encodings; compare before/after state and diffs across roles.
+4. Repeat with nested objects, arrays, and alternative shapes (dot/bracket notation, duplicate keys) and in batch operations.
+</methodology>
+
+<discovery_techniques>
+<surface_map>
+- Controllers with automatic binding (e.g., request.json → model); GraphQL input types mirroring models; admin/staff tools exposed via API
+- OpenAPI/GraphQL schemas: uncover hidden fields or enums; SDKs often reveal writable fields
+- Client bundles and mobile apps: inspect forms and mutation payloads for field names
+</surface_map>
+
+<parameter_strategies>
+- Flat fields: isAdmin, role, roles[], permissions[], status, plan, tier, premium, verified, emailVerified
+- Ownership/tenancy: userId, ownerId, accountId, organizationId, tenantId, workspaceId
+- Limits/quotas: usageLimit, seatCount, maxProjects, creditBalance
+- Feature flags/gates: features, flags, betaAccess, allowImpersonation
+- Billing: price, amount, currency, prorate, nextInvoice, trialEnd
+</parameter_strategies>
+
+<shape_variants>
+- Alternate shapes: arrays vs scalars; nested JSON; objects under unexpected keys
+- Dot/bracket paths: profile.role, profile[role], settings[roles][]
+- Duplicate keys and precedence: {"role":"user","role":"admin"}
+- Sparse/patch formats: JSON Patch/JSON Merge Patch; try adding forbidden paths or replacing protected fields
+</shape_variants>
+
+<encodings_and_channels>
+- Content-types: application/json, application/x-www-form-urlencoded, multipart/form-data, text/plain (JSON via server coercion)
+- GraphQL: add suspicious fields to input objects; overfetch response to detect changes
+- Batch/bulk: arrays of objects; verify per-item allowlists not skipped
+</encodings_and_channels>
+
+<exploitation_techniques>
+<privilege_escalation>
+- Set role/isAdmin/permissions during signup/profile update; toggle admin/staff flags where exposed
+</privilege_escalation>
+
+<ownership_takeover>
+- Change ownerId/accountId/tenantId to seize resources; move objects across users/tenants
+</ownership_takeover>
+
+<feature_gate_bypass>
+- Enable premium/beta/feature flags via flags/features fields; raise limits/seatCount/quotas
+</feature_gate_bypass>
+
+<billing_and_entitlements>
+- Modify plan/price/prorate/trialEnd or creditBalance; bypass server recomputation
+</billing_and_entitlements>
+
+<nested_and_relation_writes>
+- Writable nested serializers or ORM relations allow creating or linking related objects beyond caller’s scope (e.g., attach to another user’s org)
+</nested_and_relation_writes>
+
+<advanced_techniques>
+<graphQL_specific>
+- Field-level authz missing on input types: attempt forbidden fields in mutation inputs; combine with aliasing/batching to compare effects
+- Use fragments to overfetch changed fields immediately after mutation
+</graphQL_specific>
+
+<orm_framework_edges>
+- Rails: strong parameters misconfig or deep nesting via accepts_nested_attributes_for
+- Laravel: $fillable/$guarded misuses; guarded=[] opens all; casts mutating hidden fields
+- Django REST Framework: writable nested serializer, read_only/extra_kwargs gaps, partial updates
+- Mongoose/Prisma: schema paths not filtered; select:false doesn’t prevent writes; upsert defaults
+</orm_framework_edges>
+
+<parser_and_validator_gaps>
+- Validators run post-bind and do not cover extra fields; unknown fields silently dropped in response but persisted underneath
+- Inconsistent allowlists between mobile/web/gateway; alt encodings bypass validation pipeline
+</parser_and_validator_gaps>
+
+<bypass_techniques>
+<content_type_switching>
+- Switch JSON ↔ form-encoded ↔ multipart ↔ text/plain; some code paths only validate one
+</content_type_switching>
+
+<key_path_variants>
+- Dot/bracket/object re-shaping to reach nested fields through different binders
+</key_path_variants>
+
+<batch_paths>
+- Per-item checks skipped in bulk operations; insert a single malicious object within a large batch
+</batch_paths>
+
+<race_and_reorder>
+- Race two updates: first sets forbidden field, second normalizes; final state may retain forbidden change
+</race_and_reorder>
+
+<validation>
+1. Show a minimal request where adding a sensitive field changes persisted state for a non-privileged caller.
+2. Provide before/after evidence (response body, subsequent GET, or GraphQL query) proving the forbidden attribute value.
+3. Demonstrate consistency across at least two encodings or channels.
+4. For nested/bulk, show that protected fields are written within child objects or array elements.
+5. Quantify impact (e.g., role flip, cross-tenant move, quota increase) and reproducibility.
+</validation>
+
+<false_positives>
+- Server recomputes derived fields (plan/price/role) ignoring client input
+- Fields marked read-only and enforced consistently across encodings
+- Only UI-side changes with no persisted effect
+</false_positives>
+
+<impact>
+- Privilege escalation and admin feature access
+- Cross-tenant or cross-account resource takeover
+- Financial/billing manipulation and quota abuse
+- Policy/approval bypass by toggling verification or status flags
+</impact>
+
+<pro_tips>
+1. Build a sensitive-field dictionary per resource and fuzz systematically.
+2. Always try alternate shapes and encodings; many validators are shape/CT-specific.
+3. For GraphQL, diff the resource immediately after mutation; effects are often visible even if the mutation returns filtered fields.
+4. Inspect SDKs/mobile apps for hidden field names and nested write examples.
+5. Prefer minimal PoCs that prove durable state changes; avoid UI-only effects.
+</pro_tips>
+
+<mitigations>
+- Enforce server-side allowlists per operation and role; deny unknown fields by default
+- Separate input DTOs from domain models; map explicitly
+- Recompute derived fields (role/plan/owner) from trusted context; ignore client values
+- Lock nested writes to owned resources; validate foreign keys against caller scope
+- For GraphQL, use input types that expose only permitted fields and enforce resolver-level checks
+</mitigations>
+
+<remember>Mass assignment is eliminated by explicit mapping and per-field authorization. Treat every client-supplied attribute—especially nested or batch inputs—as untrusted until validated against an allowlist and caller scope.</remember>
+</mass_assignment_guide>

strix/prompts/vulnerabilities/path_traversal_lfi_rfi.jinja

@@ -0,0 +1,142 @@
+<path_traversal_lfi_rfi_guide>
+<title>PATH TRAVERSAL, LFI, AND RFI</title>
+
+<critical>Improper file path handling and dynamic inclusion enable sensitive file disclosure, config/source leakage, SSRF pivots, and code execution. Treat all user-influenced paths, names, and schemes as untrusted; normalize and bind them to an allowlist or eliminate user control entirely.</critical>
+
+<scope>
+- Path traversal: read files outside intended roots via ../, encoding, normalization gaps
+- Local File Inclusion (LFI): include server-side files into interpreters/templates
+- Remote File Inclusion (RFI): include remote resources (HTTP/FTP/wrappers) for code execution
+- Archive extraction traversal (Zip Slip): write outside target directory upon unzip/untar
+- Server/proxy normalization mismatches (nginx alias/root, upstream decoders)
+- OS-specific paths: Windows separators, device names, UNC, NT paths, alternate data streams
+</scope>
+
+<methodology>
+1. Inventory all file operations: downloads, previews, templates, logs, exports/imports, report engines, uploads, archive extractors.
+2. Identify input joins: path joins (base + user), include/require/template loads, resource fetchers, archive extract destinations.
+3. Probe normalization and resolution: separators, encodings, double-decodes, case, trailing dots/slashes; compare web server vs application behavior.
+4. Escalate from disclosure (read) to influence (write/extract/include), then to execution (wrapper/engine chains).
+</methodology>
+
+<discovery_techniques>
+<surface_map>
+- HTTP params: file, path, template, include, page, view, download, export, report, log, dir, theme, lang
+- Upload and conversion pipelines: image/PDF renderers, thumbnailers, office converters
+- Archive extract endpoints and background jobs; imports with ZIP/TAR/GZ/7z
+- Server-side template rendering (PHP/Smarty/Twig/Blade), email templates, CMS themes/plugins
+- Reverse proxies and static file servers (nginx, CDN) in front of app handlers
+</surface_map>
+
+<capability_probes>
+- Path traversal baseline: ../../etc/hosts and C:\\Windows\\win.ini
+- Encodings: %2e%2e%2f, %252e%252e%252f, ..%2f, ..%5c, mixed UTF-8 (%c0%2e), Unicode dots and slashes
+- Normalization tests: ....//, ..\\, ././, trailing dot/double dot segments; repeated decoding
+- Absolute path acceptance: /etc/passwd, C:\\Windows\\System32\\drivers\\etc\\hosts
+- Server mismatch: /static/..;/../etc/passwd ("..;"), encoded slashes (%2F), double-decoding via upstream
+</capability_probes>
+</discovery_techniques>
+
+<detection_channels>
+<direct>
+- Response body discloses file content (text, binary, base64); error pages echo real paths
+</direct>
+
+<error_based>
+- Exception messages expose canonicalized paths or include() warnings with real filesystem locations
+</error_based>
+
+<oast>
+- RFI/LFI with wrappers that trigger outbound fetches (HTTP/DNS) to confirm inclusion/execution
+</oast>
+
+<side_effects>
+- Archive extraction writes files unexpectedly outside target; verify with directory listings or follow-up reads
+</side_effects>
+</detection_channels>
+
+<path_traversal>
+<bypasses_and_variants>
+- Encodings: single/double URL-encoding, mixed case, overlong UTF-8, UTF-16, path normalization oddities
+- Mixed separators: / and \\ on Windows; // and \\\\ collapse differences across frameworks
+- Dot tricks: ....// (double dot folding), trailing dots (Windows), trailing slashes, appended valid extension
+- Absolute path injection: bypass joins by supplying a rooted path
+- Alias/root mismatch (nginx): alias without trailing slash with nested location allows ../ to escape; try /static/../etc/passwd and ";" variants (..;)
+- Upstream vs backend decoding: proxies/CDNs decoding %2f differently; test double-decoding and encoded dots
+</bypasses_and_variants>
+
+<high_value_targets>
+- /etc/passwd, /etc/hosts, application .env/config.yaml, SSH/keys, cloud creds, service configs/logs
+- Windows: C:\\Windows\\win.ini, IIS/web.config, programdata configs, application logs
+- Source code templates and server-side includes; secrets in env dumps
+</high_value_targets>
+</path_traversal>
+
+<lfi>
+<wrappers_and_techniques>
+- PHP wrappers: php://filter/convert.base64-encode/resource=index.php (read source), zip://archive.zip#file.txt, data://text/plain;base64, expect:// (if enabled)
+- Log/session poisoning: inject PHP/templating payloads into access/error logs or session files then include them (paths vary by stack)
+- Upload temp names: include temporary upload files before relocation; race with scanners
+- /proc/self/environ and framework-specific caches for readable secrets
+- Null-byte (legacy): %00 truncation in older stacks; path length truncation tricks
+</wrappers_and_techniques>
+
+<template_engines>
+- PHP include/require; Smarty/Twig/Blade with dynamic template names
+- Java/JSP/FreeMarker/Velocity; Node.js ejs/handlebars/pug engines
+- Seek dynamic template resolution from user input (theme/lang/template)
+</template_engines>
+</lfi>
+
+<rfi>
+<conditions>
+- Remote includes (allow_url_include/allow_url_fopen in PHP), custom fetchers that eval/execute retrieved content, SSRF-to-exec bridges
+- Protocol handlers: http, https, ftp; language-specific stream handlers
+</conditions>
+
+<exploitation>
+- Host a minimal payload that proves code execution; prefer OAST beacons or deterministic output over heavy shells
+- Chain with upload or log poisoning when remote includes are disabled to reach local payloads
+</exploitation>
+</rfi>
+
+<archive_extraction>
+<zip_slip>
+- Files within archives containing ../ or absolute paths escape target extract directory
+- Test multiple formats: zip/tar/tgz/7z; verify symlink handling and path canonicalization prior to write
+- Impact: overwrite config/templates or drop webshells into served directories
+</zip_slip>
+</archive_extraction>
+
+<validation>
+1. Show a minimal traversal read proving out-of-root access (e.g., /etc/hosts) with a same-endpoint in-root control.
+2. For LFI, demonstrate inclusion of a benign local file or harmless wrapper output (php://filter base64 of index.php); avoid active code when not permitted.
+3. For RFI, prove remote fetch by OAST or controlled output; avoid destructive payloads.
+4. For Zip Slip, create an archive with ../ entries and show write outside target (e.g., marker file read back).
+5. Provide before/after file paths, exact requests, and content hashes/lengths for reproducibility.
+</validation>
+
+<false_positives>
+- In-app virtual paths that do not map to filesystem; content comes from safe stores (DB/object storage)
+- Canonicalized paths constrained to an allowlist/root after normalization
+- Wrappers disabled and includes using constant templates only
+- Archive extractors that sanitize paths and enforce destination directories
+</false_positives>
+
+<impact>
+- Sensitive configuration/source disclosure → credential and key compromise
+- Code execution via inclusion of attacker-controlled content or overwritten templates
+- Persistence via dropped files in served directories; lateral movement via revealed secrets
+- Supply-chain impact when report/template engines execute attacker-influenced files
+</impact>
+
+<pro_tips>
+1. Compare content-length/ETag when content is masked; read small canonical files (hosts) to avoid noise.
+2. Test proxy/CDN and app separately; decoding/normalization order differs, especially for %2f and %2e encodings.
+3. For LFI, prefer php://filter base64 probes over destructive payloads; enumerate readable logs and sessions.
+4. Validate extraction code with synthetic archives; include symlinks and deep ../ chains.
+5. Use minimal PoCs and hard evidence (hashes, paths). Avoid noisy DoS against filesystems.
+</pro_tips>
+
+<remember>Eliminate user-controlled paths where possible. Otherwise, resolve to canonical paths and enforce allowlists, forbid remote schemes, and lock down interpreters and extractors. Normalize consistently at the boundary closest to IO.</remember>
+</path_traversal_lfi_rfi_guide>