nyx/tests/fixtures/realistic/ssrf/SsrfJavaOriginLocked.java

// Phase 14 fixture (Java negative) — `"https://api.example.com/" + path`
// produces a StringFact whose prefix is the literal scheme/host. The
// `RestTemplate.getForObject(url, ...)` SSRF sink reads the URL at
// arg 0; `is_abstract_safe_for_sink` honours the prefix-lock and
// suppresses the finding even though the path component is
// attacker-controlled.
import org.springframework.web.client.RestTemplate;
import javax.servlet.http.HttpServletRequest;

public class SsrfJavaOriginLocked {
    public void proxy(HttpServletRequest req) {
        String path = req.getParameter("path");
        String url = "https://api.example.com/" + path;
        RestTemplate rt = new RestTemplate();
        String body = rt.getForObject(url, String.class);
    }
}
Critical bug fixes and recall improvements (#68) 2026-05-11 12:42:39 -04:00			// Phase 14 fixture (Java negative) — `"https://api.example.com/" + path`
			`// produces a StringFact whose prefix is the literal scheme/host. The`
			// `RestTemplate.getForObject(url, ...)` SSRF sink reads the URL at
			// arg 0; `is_abstract_safe_for_sink` honours the prefix-lock and
			`// suppresses the finding even though the path component is`
			`// attacker-controlled.`
			`import org.springframework.web.client.RestTemplate;`
			`import javax.servlet.http.HttpServletRequest;`

			`public class SsrfJavaOriginLocked {`
			`public void proxy(HttpServletRequest req) {`
			`String path = req.getParameter("path");`
			`String url = "https://api.example.com/" + path;`
			`RestTemplate rt = new RestTemplate();`
			`String body = rt.getForObject(url, String.class);`
			`}`
			`}`