Merge remote-tracking branch 'origin/ralph/gapfill-security'

# Conflicts:
#	configs/codereview_2config.sh
#	configs/selected_benchmark_tasks.json
#	prd.json

Author: LoCoBench Bot

benchmarks/ccb_security/sec-cve-001/environment/Dockerfile

@@ -0,0 +1,25 @@
+FROM debian:bookworm-slim
+
+WORKDIR /workspace
+
+# Install dependencies
+RUN apt-get update && apt-get install -y \
+    git \
+    curl \
+    python3 \
+    npm \
+    build-essential \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Claude Code CLI
+RUN npm install -g @anthropic-ai/claude-code
+
+# Clone curl at the pre-fix commit (vulnerable code present)
+# Parent of fix commit fb4415d8aee6c1045be932a34fe6107c2f5ed147
+RUN git clone --filter=blob:none --no-checkout https://github.com/curl/curl.git . && \
+    git checkout 09e25b9d94f4106eac8ca3a43b221bdc66f405e4 && \
+    git config user.email "agent@example.com" && \
+    git config user.name "Agent"
+
+# Create output directories
+RUN mkdir -p /logs/agent /logs/verifier

benchmarks/ccb_security/sec-cve-001/instruction.md

@@ -0,0 +1,73 @@
+# CVE Triage: curl SOCKS5 Heap Buffer Overflow (CVE-2023-38545)
+
+**Repository:** curl/curl
+**Task Type:** CVE Triage (analysis only — no code fixes)
+
+## Security Advisory
+
+**CVE ID:** CVE-2023-38545
+**Severity:** HIGH (CVSS 9.8)
+**CWE:** CWE-122 (Heap-based Buffer Overflow)
+**Affected Versions:** libcurl 7.69.0 through 8.3.0
+
+### Description
+
+This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake.
+
+When curl is asked to pass along the hostname to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that hostname can be is 255 bytes.
+
+If the hostname is detected to be longer than 255 bytes, curl switches to local name resolving and instead passes on the resolved address only to the proxy. Due to a bug, the local variable that means "let the host resolve the name" could get the wrong value during a slow SOCKS5 handshake, and contrary to the intention, copy the too long hostname to the target buffer instead of copying just the resolved address there.
+
+The target buffer being a heap based buffer, and the hostname coming from the URL that curl has been told to operate with.
+
+### Exploitation Conditions
+
+An attacker must control an HTTPS server accessible by the client using libcurl. The client must:
+1. Use a SOCKS5 proxy in proxy-resolver mode
+2. Follow HTTP redirects (attacker provides a redirect to a URL with a hostname > 255 bytes)
+3. The SOCKS5 handshake must be slow enough to trigger the state machine bug
+
+## Your Task
+
+Locate the vulnerable code in this curl repository. You must identify:
+
+1. **The specific source file** containing the vulnerability
+2. **The specific function** with the buffer overflow bug
+3. **The root cause** — which variable or state machine logic causes the overflow
+4. **The vulnerability type** — classify the bug (e.g., buffer overflow, integer overflow, use-after-free)
+5. **The attack surface** — which curl configurations trigger this code path
+
+You are NOT told which file or function contains the bug. You must find it through code analysis.
+
+## Output Requirements
+
+Write your triage report to `/logs/agent/triage.md`.
+
+Your report MUST include these sections:
+
+```
+# Triage Report: CVE-2023-38545
+
+## Summary
+<Vulnerability classification, severity, and 1-2 sentence finding>
+
+## Affected Code
+<Specific file path(s), function name(s), and line number(s) containing the vulnerability>
+
+## Root Cause
+<Technical explanation of the bug — what goes wrong and why>
+
+## Attack Vector
+<How the vulnerability can be exploited, including entry points and preconditions>
+
+## Severity Assessment
+<CVSS-style assessment: attack complexity, privileges required, user interaction>
+```
+
+## Constraints
+
+- Do NOT write any code fixes
+- Do NOT modify any source files
+- Your job is triage and analysis only
+- Focus on identifying the vulnerable code and explaining the root cause
+- The repository is checked out at a version where the vulnerable code is present

benchmarks/ccb_security/sec-cve-001/task.toml

@@ -0,0 +1,53 @@
+version = "1.0"
+
+[metadata]
+name = "sec-cve-001"
+description = "Locate vulnerable code from curl SOCKS5 heap buffer overflow CVE"
+license = "Apache-2.0"
+
+[task]
+id = "sec-cve-001"
+repo = "curl/curl"
+category = "cve_triage"
+language = "c"
+difficulty = "hard"
+time_limit_sec = 1200
+
+[verification]
+type = "test"
+command = "bash /tests/test.sh"
+
+reward_type = "checklist"
+description = "Weighted checklist scoring triage report against ground-truth findings"
+
+[environment]
+build_timeout_sec = 600.0
+
+[environment.setup_scripts]
+mcp_config = """#!/bin/bash
+# Setup Sourcegraph MCP if credentials provided
+if [ -n "$SOURCEGRAPH_ACCESS_TOKEN" ] && [ -n "$SOURCEGRAPH_URL" ]; then
+  echo "Setting up Sourcegraph MCP configuration..."
+  mkdir -p /root/.config/claude
+
+  cat > /root/.config/claude/mcp.json << 'MCPEOF'
+{
+  "mcpServers": {
+    "sourcegraph": {
+      "command": "npx",
+      "args": ["-y", "@sourcegraph/mcp-server"],
+      "env": {
+        "SRC_ACCESS_TOKEN": "$SOURCEGRAPH_ACCESS_TOKEN",
+        "SOURCEGRAPH_URL": "$SOURCEGRAPH_URL"
+      }
+    }
+  }
+}
+MCPEOF
+
+  echo "MCP configuration created"
+else
+  echo "No Sourcegraph credentials provided, MCP disabled"
+fi
+exit 0
+"""

benchmarks/ccb_security/sec-cve-001/tests/ground_truth.json

@@ -0,0 +1,94 @@
+{
+  "task_id": "sec-cve-001",
+  "description": "curl SOCKS5 heap buffer overflow CVE-2023-38545 triage",
+  "weights": {
+    "required_findings": 0.40,
+    "file_references": 0.30,
+    "causal_chain": 0.20,
+    "negative_checks": 0.10
+  },
+  "required_findings": [
+    {
+      "id": "f1",
+      "description": "Identifies the vulnerable function do_SOCKS5 or Curl_SOCKS5",
+      "patterns": ["do_SOCKS5", "Curl_SOCKS5"],
+      "weight": 0.25
+    },
+    {
+      "id": "f2",
+      "description": "Identifies heap buffer overflow vulnerability type",
+      "patterns": ["heap.*buffer.*overflow", "buffer.*overflow.*heap", "heap.*overflow"],
+      "weight": 0.20
+    },
+    {
+      "id": "f3",
+      "description": "Identifies the hostname length check (255 byte limit)",
+      "patterns": ["255", "hostname.*len", "hostname_len"],
+      "weight": 0.20
+    },
+    {
+      "id": "f4",
+      "description": "Identifies the socks5_resolve_local variable or state machine issue",
+      "patterns": ["socks5_resolve_local", "resolve.*local", "state.*machine", "non.?blocking"],
+      "weight": 0.20
+    },
+    {
+      "id": "f5",
+      "description": "Identifies SOCKS5 proxy handshake as the attack surface",
+      "patterns": ["SOCKS5.*proxy|proxy.*SOCKS5", "SOCKS5.*handshake|handshake.*SOCKS5", "CURLPROXY_SOCKS5"],
+      "weight": 0.15
+    }
+  ],
+  "file_references": [
+    {
+      "id": "r1",
+      "description": "Identifies lib/socks.c as the vulnerable file",
+      "patterns": ["lib/socks\\.c", "socks\\.c"],
+      "weight": 0.50
+    },
+    {
+      "id": "r2",
+      "description": "Identifies lib/socks.h or SOCKS-related headers",
+      "patterns": ["lib/socks\\.h", "socks\\.h", "lib/cf-socket"],
+      "weight": 0.20
+    },
+    {
+      "id": "r3",
+      "description": "Identifies CONNECT_SOCKS_INIT or CONNECT_RESOLVE_REMOTE state",
+      "patterns": ["CONNECT_SOCKS_INIT", "CONNECT_RESOLVE_REMOTE", "CONNECT_REQ_SEND"],
+      "weight": 0.30
+    }
+  ],
+  "causal_chain": [
+    {
+      "id": "c1",
+      "description": "Explains hostname > 255 bytes should trigger local resolve but state machine loses this decision",
+      "patterns": ["hostname.*255|255.*hostname", "resolve.*local|local.*resolve", "state|re.?enter"],
+      "ordered": true,
+      "weight": 0.50
+    },
+    {
+      "id": "c2",
+      "description": "Explains that the oversized hostname gets copied into a fixed-size heap buffer",
+      "patterns": ["hostname.*cop|cop.*hostname|memcpy|socksreq", "buffer|overflow|heap"],
+      "ordered": true,
+      "weight": 0.50
+    }
+  ],
+  "negative_checks": [
+    {
+      "id": "n1",
+      "description": "Does NOT blame TLS/SSL layer for the vulnerability",
+      "patterns": ["TLS.*cause|TLS.*root|SSL.*cause|SSL.*root|TLS.*vulnerab|SSL.*vulnerab"],
+      "must_be_absent": true,
+      "weight": 0.50
+    },
+    {
+      "id": "n2",
+      "description": "Does NOT blame HTTP parsing as the root cause",
+      "patterns": ["HTTP.*pars.*root|HTTP.*pars.*cause|HTTP.*pars.*vulnerab"],
+      "must_be_absent": true,
+      "weight": 0.50
+    }
+  ]
+}