mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
30 lines
1.2 KiB
Java
30 lines
1.2 KiB
Java
|
// File I/O — positive fixture.
|
||
|
|
// Vulnerable: reads file at user-controlled path without sanitization.
|
||
|
|
// Entry: Entry.readFile(String) Cap: FILE_IO
|
||
|
|
// Expected verdict: Confirmed.
|
||
|
|
//
|
||
|
|
// The harness plants a canary file (`nyx_pt_canary`, whose CONTENT is the
|
||
|
|
// collision-resistant marker) at the workdir root and an empty `testfiles/`
|
||
|
|
// directory beside it. Reading `testfiles/ + userPath` without normalising is
|
||
|
|
// the traversal sink: the vuln payload `../nyx_pt_canary` escapes `testfiles/`
|
||
|
|
// back to the planted canary, so its marker content reaches stdout.
|
||
|
|
|
||
|
|
import java.io.*;
|
||
|
|
import java.nio.file.*;
|
||
|
|
|
||
|
|
public class Entry {
|
||
|
|
public static void readFile(String userPath) throws Exception {
|
||
|
|
// Base directory the harness plants the canary one level above.
|
||
|
|
Path testfileDir = Paths.get(System.getProperty("user.dir"), "testfiles");
|
||
|
|
// Vulnerable: no normalisation / containment check on `userPath`.
|
||
|
|
Path filePath = testfileDir.resolve(userPath);
|
||
|
|
System.out.print("__NYX_SINK_HIT__\n");
|
||
|
|
try {
|
||
|
|
String content = new String(Files.readAllBytes(filePath));
|
||
|
|
System.out.print(content);
|
||
|
|
} catch (IOException e) {
|
||
|
|
// silent
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|