nyx/tests/dynamic_fixtures/java/cmdi_negative.java

// Command injection — negative fixture.
// Safe: exec with args array; no shell; semicolons are inert.
// Entry: Entry.runPing(String)  Cap: CODE_EXEC
// Expected verdict: NotConfirmed

import java.io.*;

public class Entry {
    public static void runPing(String host) throws Exception {
        // Array form: each element is a literal argument — no shell expansion.
        String[] cmd = {"echo", "hello", host};
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
        while ((line = reader.readLine()) != null) {
            System.out.println(line);
        }
        p.waitFor();
    }
}
[pitboss] phase 05: M5 — JS/TS, Go, Java, PHP harness emitters 2026-05-12 02:20:55 -04:00			`// Command injection — negative fixture.`
			`// Safe: exec with args array; no shell; semicolons are inert.`
			`// Entry: Entry.runPing(String) Cap: CODE_EXEC`
			`// Expected verdict: NotConfirmed`

			`import java.io.*;`

			`public class Entry {`
			`public static void runPing(String host) throws Exception {`
			`// Array form: each element is a literal argument — no shell expansion.`
			`String[] cmd = {"echo", "hello", host};`
			`Process p = Runtime.getRuntime().exec(cmd);`
			`BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));`
			`String line;`
			`while ((line = reader.readLine()) != null) {`
			`System.out.println(line);`
			`}`
			`p.waitFor();`
			`}`
			`}`