nyx/tests/fixtures/patterns/java/positive.java

import java.io.*;
import java.util.Random;
import java.security.MessageDigest;
import org.yaml.snakeyaml.Yaml;
import org.apache.commons.text.StringSubstitutor;

class Positive {
    // java.deser.readobject
    void triggerDeser(InputStream is) throws Exception {
        ObjectInputStream ois = new ObjectInputStream(is);
        Object obj = ois.readObject();
    }

    // java.cmdi.runtime_exec
    void triggerRuntimeExec(String cmd) throws Exception {
        Runtime.getRuntime().exec(cmd);
    }

    // java.reflection.class_forname
    void triggerClassForName(String name) throws Exception {
        Class.forName(name);
    }

    // java.reflection.method_invoke
    void triggerMethodInvoke(Object target) throws Exception {
        java.lang.reflect.Method m = target.getClass().getMethod("run");
        m.invoke(target);
    }

    // java.sqli.execute_concat
    void triggerSqlConcat(java.sql.Statement stmt, String user) throws Exception {
        stmt.executeQuery("SELECT * FROM users WHERE name = '" + user + "'");
    }

    // java.crypto.insecure_random
    void triggerInsecureRandom() {
        Random r = new Random();
        int token = r.nextInt();
    }

    // java.crypto.weak_digest
    void triggerWeakDigest() throws Exception {
        MessageDigest md = MessageDigest.getInstance("MD5");
    }

    // java.xss.getwriter_print
    void triggerGetWriterPrint(javax.servlet.http.HttpServletResponse resp) throws Exception {
        resp.getWriter().println("<html>" + "data" + "</html>");
    }

    // java.deser.snakeyaml_unsafe_constructor — CVE-2022-1471 regression guard.
    void triggerSnakeyamlUnsafeConstructor() throws Exception {
        Yaml yaml = new Yaml();
        Object data = yaml.load("payload");
    }

    // java.code_exec.text4shell_interpolator — CVE-2022-42889 regression guard.
    String triggerText4ShellInterpolator(String input) {
        StringSubstitutor s = StringSubstitutor.createInterpolator();
        return s.replace(input);
    }
}
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00			`import java.io.*;`
			`import java.util.Random;`
			`import java.security.MessageDigest;`
Python fp and docs updtes (#58) * refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files 2026-04-29 19:53:34 -04:00			`import org.yaml.snakeyaml.Yaml;`
			`import org.apache.commons.text.StringSubstitutor;`
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00
			`class Positive {`
			`// java.deser.readobject`
			`void triggerDeser(InputStream is) throws Exception {`
			`ObjectInputStream ois = new ObjectInputStream(is);`
			`Object obj = ois.readObject();`
			`}`

			`// java.cmdi.runtime_exec`
			`void triggerRuntimeExec(String cmd) throws Exception {`
			`Runtime.getRuntime().exec(cmd);`
			`}`

			`// java.reflection.class_forname`
			`void triggerClassForName(String name) throws Exception {`
			`Class.forName(name);`
			`}`

			`// java.reflection.method_invoke`
			`void triggerMethodInvoke(Object target) throws Exception {`
			`java.lang.reflect.Method m = target.getClass().getMethod("run");`
			`m.invoke(target);`
			`}`

			`// java.sqli.execute_concat`
			`void triggerSqlConcat(java.sql.Statement stmt, String user) throws Exception {`
			`stmt.executeQuery("SELECT * FROM users WHERE name = '" + user + "'");`
			`}`

			`// java.crypto.insecure_random`
			`void triggerInsecureRandom() {`
			`Random r = new Random();`
			`int token = r.nextInt();`
			`}`

			`// java.crypto.weak_digest`
			`void triggerWeakDigest() throws Exception {`
			`MessageDigest md = MessageDigest.getInstance("MD5");`
			`}`

			`// java.xss.getwriter_print`
			`void triggerGetWriterPrint(javax.servlet.http.HttpServletResponse resp) throws Exception {`
			`resp.getWriter().println("<html>" + "data" + "</html>");`
			`}`
Python fp and docs updtes (#58) * refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files 2026-04-29 19:53:34 -04:00
			`// java.deser.snakeyaml_unsafe_constructor — CVE-2022-1471 regression guard.`
			`void triggerSnakeyamlUnsafeConstructor() throws Exception {`
			`Yaml yaml = new Yaml();`
			`Object data = yaml.load("payload");`
			`}`

			`// java.code_exec.text4shell_interpolator — CVE-2022-42889 regression guard.`
			`String triggerText4ShellInterpolator(String input) {`
			`StringSubstitutor s = StringSubstitutor.createInterpolator();`
			`return s.replace(input);`
			`}`
Phase 1 (#33) * chore: Exclude CLAUDE.md from Cargo.toml * feat: add callgraph module and integrate into main analysis flow * feat: enhance CLI with new severity filtering and analysis modes * feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling * feat: implement state-model dataflow analysis for resource lifecycle and auth state * feat: enhance diagnostic output formatting and add evidence structure * feat: implement attack surface ranking for diagnostics with scoring and sorting * feat: add comprehensive documentation for installation, usage, and rules reference * feat: add multiple language support for command execution and evaluation endpoints * feat: implement inline suppression for findings using `nyx:ignore` comments * feat: add confidence levels to AST patterns and update output structure * feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets * feat: bump version to 0.4.0 and update changelog with new features and improvements * feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs 2026-02-25 21:16:36 -05:00			`}`