nyx/tests/fixtures/java_service/Service.java

import java.io.*;
import java.sql.*;
import java.util.Random;

/**
 * Simulates a Java backend service handling HTTP requests.
 * Contains realistic vulnerability patterns found in enterprise Java code.
 */
public class Service {

    private Connection dbConn;

    public Service(Connection dbConn) {
        this.dbConn = dbConn;
    }

    // ───── Command execution from environment ─────

    /**
     * POST /admin/maintenance
     * Runs a maintenance command from environment config.
     * VULN: System.getenv flows into Runtime.exec (command injection)
     */
    public String handleMaintenance() throws IOException {
        String cmd = System.getenv("MAINTENANCE_CMD");
        Process proc = Runtime.getRuntime().exec(cmd);
        BufferedReader reader = new BufferedReader(
            new InputStreamReader(proc.getInputStream())
        );
        StringBuilder output = new StringBuilder();
        String line;
        while ((line = reader.readLine()) != null) {
            output.append(line).append("\n");
        }
        return output.toString();
    }

    /**
     * POST /admin/deploy
     * Constructs a deploy command from multiple env vars.
     * VULN: System.getenv flows into Runtime.exec
     */
    public void handleDeploy() throws IOException {
        String target = System.getenv("DEPLOY_HOST");
        String artifact = System.getenv("ARTIFACT_PATH");
        String command = "scp " + artifact + " " + target + ":/opt/app/";
        Runtime.getRuntime().exec(command);
    }

    // ───── SQL injection via string concatenation ─────

    /**
     * GET /api/users/search
     * Searches users with a query parameter concatenated into SQL.
     * VULN: System.getenv flows into executeQuery (SQL injection)
     */
    public ResultSet searchUsers(String searchTerm) throws SQLException {
        String table = System.getenv("USERS_TABLE");
        String sql = "SELECT * FROM " + table + " WHERE name LIKE '%" + searchTerm + "%'";
        Statement stmt = dbConn.createStatement();
        return stmt.executeQuery(sql);
    }

    /**
     * POST /api/audit/log
     * Writes an audit log entry using concatenated SQL.
     * VULN: String concatenation in executeUpdate (SQL injection)
     */
    public void logAuditEvent(String event, String userId) throws SQLException {
        String sql = "INSERT INTO audit_log (event, user_id, ts) VALUES ('"
            + event + "', '" + userId + "', NOW())";
        Statement stmt = dbConn.createStatement();
        stmt.executeUpdate(sql);
    }

    // ───── Deserialization ─────

    /**
     * POST /api/session/restore
     * Deserializes a session object from a byte stream.
     * VULN: ObjectInputStream.readObject on untrusted data
     */
    public Object restoreSession(InputStream sessionData) throws Exception {
        ObjectInputStream ois = new ObjectInputStream(sessionData);
        Object session = ois.readObject();
        ois.close();
        return session;
    }

    // ───── Reflection ─────

    /**
     * POST /api/plugins/load
     * Dynamically loads a class by name from environment config.
     * VULN: System.getenv flows into Class.forName (unsafe reflection)
     */
    public Object loadPlugin() throws Exception {
        String className = System.getenv("PLUGIN_CLASS");
        Class<?> pluginClass = Class.forName(className);
        return pluginClass.getDeclaredConstructor().newInstance();
    }

    // ───── Weak randomness ─────

    /**
     * Generates a session token using java.util.Random.
     * VULN: insecure random — should use SecureRandom for tokens
     */
    public String generateSessionToken() {
        Random rng = new Random();
        long tokenValue = rng.nextLong();
        return Long.toHexString(tokenValue);
    }

    // ───── Safe patterns ─────

    /**
     * SAFE: uses PreparedStatement (parameterized query).
     */
    public ResultSet safeSearch(String term) throws SQLException {
        PreparedStatement pstmt = dbConn.prepareStatement(
            "SELECT * FROM users WHERE name LIKE ?"
        );
        pstmt.setString(1, "%" + term + "%");
        return pstmt.executeQuery();
    }
}
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`import java.io.*;`
			`import java.sql.*;`
			`import java.util.Random;`

			`/**`
			`* Simulates a Java backend service handling HTTP requests.`
			`* Contains realistic vulnerability patterns found in enterprise Java code.`
			`*/`
			`public class Service {`

			`private Connection dbConn;`

			`public Service(Connection dbConn) {`
			`this.dbConn = dbConn;`
			`}`

			`// ───── Command execution from environment ─────`

			`/**`
			`* POST /admin/maintenance`
			`* Runs a maintenance command from environment config.`
			`* VULN: System.getenv flows into Runtime.exec (command injection)`
			`*/`
			`public String handleMaintenance() throws IOException {`
			`String cmd = System.getenv("MAINTENANCE_CMD");`
			`Process proc = Runtime.getRuntime().exec(cmd);`
			`BufferedReader reader = new BufferedReader(`
			`new InputStreamReader(proc.getInputStream())`
			`);`
			`StringBuilder output = new StringBuilder();`
			`String line;`
			`while ((line = reader.readLine()) != null) {`
			`output.append(line).append("\n");`
			`}`
			`return output.toString();`
			`}`

			`/**`
			`* POST /admin/deploy`
			`* Constructs a deploy command from multiple env vars.`
			`* VULN: System.getenv flows into Runtime.exec`
			`*/`
			`public void handleDeploy() throws IOException {`
			`String target = System.getenv("DEPLOY_HOST");`
			`String artifact = System.getenv("ARTIFACT_PATH");`
			`String command = "scp " + artifact + " " + target + ":/opt/app/";`
			`Runtime.getRuntime().exec(command);`
			`}`

			`// ───── SQL injection via string concatenation ─────`

			`/**`
			`* GET /api/users/search`
			`* Searches users with a query parameter concatenated into SQL.`
			`* VULN: System.getenv flows into executeQuery (SQL injection)`
			`*/`
			`public ResultSet searchUsers(String searchTerm) throws SQLException {`
			`String table = System.getenv("USERS_TABLE");`
			`String sql = "SELECT * FROM " + table + " WHERE name LIKE '%" + searchTerm + "%'";`
			`Statement stmt = dbConn.createStatement();`
			`return stmt.executeQuery(sql);`
			`}`

			`/**`
			`* POST /api/audit/log`
			`* Writes an audit log entry using concatenated SQL.`
			`* VULN: String concatenation in executeUpdate (SQL injection)`
			`*/`
			`public void logAuditEvent(String event, String userId) throws SQLException {`
			`String sql = "INSERT INTO audit_log (event, user_id, ts) VALUES ('"`
			`+ event + "', '" + userId + "', NOW())";`
			`Statement stmt = dbConn.createStatement();`
			`stmt.executeUpdate(sql);`
			`}`

			`// ───── Deserialization ─────`

			`/**`
			`* POST /api/session/restore`
			`* Deserializes a session object from a byte stream.`
			`* VULN: ObjectInputStream.readObject on untrusted data`
			`*/`
			`public Object restoreSession(InputStream sessionData) throws Exception {`
			`ObjectInputStream ois = new ObjectInputStream(sessionData);`
			`Object session = ois.readObject();`
			`ois.close();`
			`return session;`
			`}`

			`// ───── Reflection ─────`

			`/**`
			`* POST /api/plugins/load`
			`* Dynamically loads a class by name from environment config.`
			`* VULN: System.getenv flows into Class.forName (unsafe reflection)`
			`*/`
			`public Object loadPlugin() throws Exception {`
			`String className = System.getenv("PLUGIN_CLASS");`
			`Class<?> pluginClass = Class.forName(className);`
			`return pluginClass.getDeclaredConstructor().newInstance();`
			`}`

			`// ───── Weak randomness ─────`

			`/**`
			`* Generates a session token using java.util.Random.`
			`* VULN: insecure random — should use SecureRandom for tokens`
			`*/`
			`public String generateSessionToken() {`
			`Random rng = new Random();`
			`long tokenValue = rng.nextLong();`
			`return Long.toHexString(tokenValue);`
			`}`

			`// ───── Safe patterns ─────`

			`/**`
			`* SAFE: uses PreparedStatement (parameterized query).`
			`*/`
			`public ResultSet safeSearch(String term) throws SQLException {`
			`PreparedStatement pstmt = dbConn.prepareStatement(`
			`"SELECT * FROM users WHERE name LIKE ?"`
			`);`
			`pstmt.setString(1, "%" + term + "%");`
			`return pstmt.executeQuery();`
			`}`
			`}`