[pitboss/grind] deferred session-0003 (20260522T163126Z-7d60)

src/dynamic/corpus/json_parse/java.rs

@@ -0,0 +1,59 @@
+//! Java `Cap::JSON_PARSE` payloads.
+//!
+//! The depth pair shares a single fixture; the payload tag
+//! (`NYX_JSON_DEEP` vs `NYX_JSON_SHALLOW`) picks the branch.  Java has
+//! no prototype-pollution surface so the canary half of the slice is
+//! intentionally omitted, matching the PHP / Go / Rust shape.
+//!
+//! Java has no stdlib JSON parser, so the harness ships a hand-rolled
+//! iterative JSON walker as a sibling class (`NyxJsonProbe.java`); the
+//! fixture calls `NyxJsonProbe.parse(text)` in place of any Jackson /
+//! Gson dependency so the build path never reaches for an external jar.
+
+use super::super::{CuratedPayload, Oracle, PayloadProvenance, PayloadRef};
+use crate::dynamic::oracle::ProbePredicate;
+
+const MAX_DEPTH: u32 = 64;
+
+pub const PAYLOADS: &[CuratedPayload] = &[
+    CuratedPayload {
+        bytes: b"NYX_JSON_DEEP",
+        label: "json-parse-java-depth-bomb",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: false,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/java/Vuln.java"],
+        oob_nonce_slot: false,
+        probe_predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+            max_depth: MAX_DEPTH,
+        }],
+        benign_control: Some(PayloadRef {
+            label: "json-parse-java-depth-shallow",
+        }),
+        no_benign_control_rationale: None,
+    },
+    CuratedPayload {
+        bytes: b"NYX_JSON_SHALLOW",
+        label: "json-parse-java-depth-shallow",
+        oracle: Oracle::SinkProbe {
+            predicates: &[ProbePredicate::JsonParseExcessiveDepth {
+                max_depth: MAX_DEPTH,
+            }],
+        },
+        is_benign: true,
+        provenance: PayloadProvenance::Curated,
+        since_corpus_version: 15,
+        deprecated_at_corpus_version: None,
+        fixture_paths: &["tests/dynamic_fixtures/json_parse_depth/java/Vuln.java"],
+        oob_nonce_slot: false,
+        probe_predicates: &[],
+        benign_control: None,
+        no_benign_control_rationale: None,
+    },
+];

src/dynamic/corpus/json_parse/mod.rs

@@ -17,6 +17,7 @@
 //! regular property `data`, leaving the chain untouched.
 
 pub mod go;
+pub mod java;
 pub mod javascript;
 pub mod php;
 pub mod python;

src/dynamic/corpus/registry.rs

@@ -200,6 +200,7 @@ const ENTRIES: &[(Cap, Lang, &[CuratedPayload])] = &[
         json_parse::javascript::PAYLOADS,
     ),
     (Cap::JSON_PARSE, Lang::Go, json_parse::go::PAYLOADS),
+    (Cap::JSON_PARSE, Lang::Java, json_parse::java::PAYLOADS),
     (Cap::JSON_PARSE, Lang::Php, json_parse::php::PAYLOADS),
     (Cap::JSON_PARSE, Lang::Python, json_parse::python::PAYLOADS),
     (Cap::JSON_PARSE, Lang::Ruby, json_parse::ruby::PAYLOADS),
@@ -497,7 +498,15 @@ mod tests {
             ),
             (
                 Cap::JSON_PARSE,
-                &[Lang::JavaScript, Lang::Python, Lang::Ruby],
+                &[
+                    Lang::JavaScript,
+                    Lang::Python,
+                    Lang::Ruby,
+                    Lang::Php,
+                    Lang::Go,
+                    Lang::Rust,
+                    Lang::Java,
+                ],
             ),
             (
                 Cap::UNAUTHORIZED_ID,