apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-27 20:29:39 +02:00
Code Issues Projects Releases Packages Wiki Activity

Phase 1 (#33)

Browse source 
* chore: Exclude CLAUDE.md from Cargo.toml

* feat: add callgraph module and integrate into main analysis flow

* feat: enhance CLI with new severity filtering and analysis modes

* feat: update CHANGELOG with recent enhancements and fixes to severity filtering and output handling

* feat: implement state-model dataflow analysis for resource lifecycle and auth state

* feat: enhance diagnostic output formatting and add evidence structure

* feat: implement attack surface ranking for diagnostics with scoring and sorting

* feat: add comprehensive documentation for installation, usage, and rules reference

* feat: add multiple language support for command execution and evaluation endpoints

* feat: implement inline suppression for findings using `nyx:ignore` comments

* feat: add confidence levels to AST patterns and update output structure

* feat: implement low-noise prioritization system with category filtering, rollup grouping, and configurable budgets

* feat: bump version to 0.4.0 and update changelog with new features and improvements

* feat: add dead code allowances to various functions in mod.rs and real_world_tests.rs
This commit is contained in:
Eli Peter 2026-02-25 21:16:36 -05:00 committed by GitHub
parent 19b578c5c4
commit 1bbe4b1cfb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
456 changed files with 25628 additions and 1228 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tests/fixtures/real_world/java/taint/cmdi_processbuilder.expect.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"description": "HttpServletRequest parameters flow into ProcessBuilder constructor \u2014 command injection via user-controlled program and arguments",
"tags": [
"taint",
"cmdi",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
13
],
"evidence_contains": [],
"notes": "request.getParameter(\"program\") and request.getParameter(\"arg\") flow into new ProcessBuilder(program, arg)"
}
]
}

21
tests/fixtures/real_world/java/taint/cmdi_processbuilder.java vendored Normal file
View file

@ -0,0 +1,21 @@
import java.io.*;
import javax.servlet.http.*;
public class ProcessHandler extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String program = request.getParameter("program");
String arg = request.getParameter("arg");
ProcessBuilder pb = new ProcessBuilder(program, arg);
Process process = pb.start();
BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()));
String line;
PrintWriter out = response.getWriter();
while ((line = reader.readLine()) != null) {
out.println(line);
}
}
}

35
tests/fixtures/real_world/java/taint/cmdi_runtime.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "HttpServletRequest.getParameter flows directly to Runtime.exec \u2014 classic command injection",
"tags": [
"taint",
"cmdi",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "request.getParameter(\"cmd\") flows directly into Runtime.getRuntime().exec(cmd)"
},
{
"rule_id": "cfg-unguarded-sink",
"severity": null,
"must_match": false,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "No validation or auth check before exec call"
}
]
}

13
tests/fixtures/real_world/java/taint/cmdi_runtime.java vendored Normal file
View file

@ -0,0 +1,13 @@
import java.io.*;
import javax.servlet.http.*;
public class CommandHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String cmd = request.getParameter("cmd");
Runtime.getRuntime().exec(cmd);
PrintWriter out = response.getWriter();
out.println("Command executed");
}
}

36
tests/fixtures/real_world/java/taint/deser_ois.expect.json vendored Normal file
View file

@ -0,0 +1,36 @@
{
"description": "Unsafe deserialization of untrusted ObjectInputStream from HTTP request body",
"tags": [
"taint",
"deser",
"servlet"
],
"modes": [
"full",
"ast"
],
"expected": [
{
"rule_id": "java.deser.readobject",
"severity": null,
"must_match": true,
"line_range": [
5,
9
],
"evidence_contains": [],
"notes": "AST pattern detects new ObjectInputStream() construction"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": false,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "request.getInputStream() flows into ObjectInputStream.readObject \u2014 taint may not track through constructor chain"
}
]
}

13
tests/fixtures/real_world/java/taint/deser_ois.java vendored Normal file
View file

@ -0,0 +1,13 @@
import java.io.*;
import javax.servlet.http.*;
public class DeserHandler extends HttpServlet {
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, ClassNotFoundException {
ObjectInputStream ois = new ObjectInputStream(request.getInputStream());
Object obj = ois.readObject();
PrintWriter out = response.getWriter();
out.println("Deserialized: " + obj.toString());
}
}

35
tests/fixtures/real_world/java/taint/reflection.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "User-controlled class name flows into Class.forName \u2014 arbitrary class instantiation",
"tags": [
"taint",
"reflection",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "java.reflection.class_forname",
"severity": null,
"must_match": true,
"line_range": [
6,
10
],
"evidence_contains": [],
"notes": "AST pattern detects Class.forName() call"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
10
],
"evidence_contains": [],
"notes": "request.getParameter(\"class\") flows directly into Class.forName(className)"
}
]
}

14
tests/fixtures/real_world/java/taint/reflection.java vendored Normal file
View file

@ -0,0 +1,14 @@
import java.io.*;
import javax.servlet.http.*;
public class ReflectionHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws Exception {
String className = request.getParameter("class");
Class<?> clazz = Class.forName(className);
Object instance = clazz.getDeclaredConstructor().newInstance();
PrintWriter out = response.getWriter();
out.println("Created: " + instance.getClass().getName());
}
}

35
tests/fixtures/real_world/java/taint/sqli_concat.expect.json vendored Normal file
View file

@ -0,0 +1,35 @@
{
"description": "SQL injection via string concatenation in doGet; safe PreparedStatement in doPost",
"tags": [
"taint",
"sqli",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "java.sqli.execute_concat",
"severity": null,
"must_match": true,
"line_range": [
10,
14
],
"evidence_contains": [],
"notes": "AST pattern detects string concatenation inside executeQuery argument"
},
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
8,
14
],
"evidence_contains": [],
"notes": "request.getParameter(\"id\") concatenated into SQL query string passed to executeQuery"
}
]
}

32
tests/fixtures/real_world/java/taint/sqli_concat.java vendored Normal file
View file

@ -0,0 +1,32 @@
import java.sql.*;
import javax.servlet.http.*;
import java.io.*;
public class UserQuery extends HttpServlet {
private Connection conn;
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException, SQLException {
String userId = request.getParameter("id");
Statement stmt = conn.createStatement();
ResultSet rs = stmt.executeQuery("SELECT * FROM users WHERE id = " + userId);
PrintWriter out = response.getWriter();
while (rs.next()) {
out.println(rs.getString("name"));
}
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException, SQLException {
String userId = request.getParameter("id");
PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
stmt.setString(1, userId);
ResultSet rs = stmt.executeQuery();
PrintWriter out = response.getWriter();
while (rs.next()) {
out.println(rs.getString("name"));
}
}
}

24
tests/fixtures/real_world/java/taint/xss_response.expect.json vendored Normal file
View file

@ -0,0 +1,24 @@
{
"description": "XSS via reflected user input in doGet; doPost has manual HTML entity escaping",
"tags": [
"taint",
"xss",
"servlet"
],
"modes": [
"full"
],
"expected": [
{
"rule_id": "taint-unsanitised-flow",
"severity": null,
"must_match": true,
"line_range": [
5,
11
],
"evidence_contains": [],
"notes": "request.getParameter(\"name\") flows directly into out.println without escaping in doGet"
}
]
}

19
tests/fixtures/real_world/java/taint/xss_response.java vendored Normal file
View file

@ -0,0 +1,19 @@
import java.io.*;
import javax.servlet.http.*;
public class XssHandler extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
PrintWriter out = response.getWriter();
out.println("<h1>Hello " + name + "</h1>");
}
protected void doPost(HttpServletRequest request, HttpServletResponse response)
throws IOException {
String name = request.getParameter("name");
String safe = name.replace("<", "&lt;").replace(">", "&gt;");
PrintWriter out = response.getWriter();
out.println("<h1>Hello " + safe + "</h1>");
}
}