nyx/tests/fixtures/mixed_project/config.rs

use std::env;
use std::fs;
use std::process::Command;

/// Infrastructure provisioning tool, Rust core.
/// Reads infrastructure config from environment and executes provisioning commands.

struct InfraConfig {
    provider: String,
    region: String,
    ssh_key_path: String,
    cluster_name: String,
}

fn load_infra_config() -> InfraConfig {
    InfraConfig {
        provider: env::var("CLOUD_PROVIDER").unwrap(),
        region: env::var("CLOUD_REGION").unwrap(),
        ssh_key_path: env::var("SSH_KEY_PATH").expect("SSH_KEY_PATH required"),
        cluster_name: env::var("CLUSTER_NAME").unwrap(),
    }
}

/// Provisions a new cluster by shelling out to the provider CLI.
/// VULN: env var flows into Command (command injection)
fn provision_cluster() {
    let cfg = load_infra_config();
    let cmd = format!(
        "{}-cli create-cluster --name {} --region {} --ssh-key {}",
        cfg.provider, cfg.cluster_name, cfg.region, cfg.ssh_key_path
    );
    let output = Command::new("sh")
        .arg("-c")
        .arg(&cmd)
        .output()
        .expect("provisioning failed");

    if !output.status.success() {
        panic!("Cluster provisioning failed: {}", String::from_utf8_lossy(&output.stderr));
    }
}

/// Reads a Terraform state file and applies changes.
/// VULN: file contents flow into Command
fn apply_terraform() {
    let state = fs::read_to_string("/etc/terraform/main.tf").unwrap();
    let workspace = state.lines()
        .find(|l| l.starts_with("workspace"))
        .unwrap_or("default");
    Command::new("terraform")
        .arg("apply")
        .arg("-auto-approve")
        .arg("-var")
        .arg(format!("workspace={}", workspace))
        .status()
        .unwrap();
}

/// Destroys infrastructure, reads target from env.
/// VULN: env var flows into Command
fn destroy_cluster() {
    let cluster = env::var("DESTROY_TARGET").unwrap();
    Command::new("sh")
        .arg("-c")
        .arg(format!("kubectl delete cluster {}", cluster))
        .status()
        .expect("destroy failed");
}
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`use std::env;`
			`use std::fs;`
			`use std::process::Command;`

Python fp and docs updtes (#58) * refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files 2026-04-29 19:53:34 -04:00			`/// Infrastructure provisioning tool, Rust core.`
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`/// Reads infrastructure config from environment and executes provisioning commands.`

			`struct InfraConfig {`
			`provider: String,`
			`region: String,`
			`ssh_key_path: String,`
			`cluster_name: String,`
			`}`

			`fn load_infra_config() -> InfraConfig {`
			`InfraConfig {`
			`provider: env::var("CLOUD_PROVIDER").unwrap(),`
			`region: env::var("CLOUD_REGION").unwrap(),`
			`ssh_key_path: env::var("SSH_KEY_PATH").expect("SSH_KEY_PATH required"),`
			`cluster_name: env::var("CLUSTER_NAME").unwrap(),`
			`}`
			`}`

			`/// Provisions a new cluster by shelling out to the provider CLI.`
			`/// VULN: env var flows into Command (command injection)`
			`fn provision_cluster() {`
			`let cfg = load_infra_config();`
			`let cmd = format!(`
			`"{}-cli create-cluster --name {} --region {} --ssh-key {}",`
			`cfg.provider, cfg.cluster_name, cfg.region, cfg.ssh_key_path`
			`);`
			`let output = Command::new("sh")`
			`.arg("-c")`
			`.arg(&cmd)`
			`.output()`
			`.expect("provisioning failed");`

			`if !output.status.success() {`
			`panic!("Cluster provisioning failed: {}", String::from_utf8_lossy(&output.stderr));`
			`}`
			`}`

			`/// Reads a Terraform state file and applies changes.`
			`/// VULN: file contents flow into Command`
			`fn apply_terraform() {`
			`let state = fs::read_to_string("/etc/terraform/main.tf").unwrap();`
			`let workspace = state.lines()`
			`.find(\|l\| l.starts_with("workspace"))`
			`.unwrap_or("default");`
			`Command::new("terraform")`
			`.arg("apply")`
			`.arg("-auto-approve")`
			`.arg("-var")`
			`.arg(format!("workspace={}", workspace))`
			`.status()`
			`.unwrap();`
			`}`

Python fp and docs updtes (#58) * refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files 2026-04-29 19:53:34 -04:00			`/// Destroys infrastructure, reads target from env.`
Feat/full cfg (#30) * feat: Enhance control flow analysis with function summaries and taint analysis * feat: Update taint analysis to utilize function summaries for enhanced tracking * Refactor `walk.rs` batch processing and override handling: - Renamed `Batcher` to `BatchSender` for clarity. - Added `BatchSender::new` constructor for cleaner initialization. - Simplified batch size management in `BatchSender`. - Extracted `build_overrides` function for reusable override construction. - Improved error handling and validation in override building. - Enhanced performance with directory and file type filtering in `walk`. * Improve logging and streamline directory walk process: - Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion. - Optimized and simplified `filter_entry` logic for directory and file type filters. - Improved metadata checks and max file size enforcement during the scan. * Refactor and optimize taint tracking, label rules, and directory walk process: - Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing. - Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency. - Removed unused `set_hash` function and redundant imports across files. - Improved batch sender logic in `walk.rs`, renaming key components for clarity. - Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return. - Expanded label rules with additional matchers for sources, sanitizers, and sinks. - Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup. * fix: fixed let chains error in walk.rs * fix: updated dependencies * fix: updated dependencies * chore: Remove standard error in scan.rs * feat: Introduce function summaries for enhanced taint and control flow analysis * feat: Enhance taint analysis with interop support and function summaries * feat: Add configuration analysis module and enhance matcher rules * feat: Add arity column to function_summaries and handle schema migration * fix: fixed clippy &PathBuf warnings * chore: Update dependencies and versioning in Cargo files * docs: Update README to enhance clarity and detail on features and analysis modes * chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes * docs: Update SECURITY.md to clarify version support status --------- Co-authored-by: elipeter <eli.peter@es.fcm.travel> 2026-02-24 23:44:07 -05:00			`/// VULN: env var flows into Command`
			`fn destroy_cluster() {`
			`let cluster = env::var("DESTROY_TARGET").unwrap();`
			`Command::new("sh")`
			`.arg("-c")`
			`.arg(format!("kubectl delete cluster {}", cluster))`
			`.status()`
			`.expect("destroy failed");`
			`}`