[pitboss] phase 05: M5 — JS/TS, Go, Java, PHP harness emitters

tests/dynamic_fixtures/java/cmdi_adversarial.java

@@ -0,0 +1,13 @@
+// Command injection — adversarial collision fixture.
+// Prints NYX_PWN_CMDI unconditionally without reaching a command sink
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: Entry.runPing(String)  Cap: CODE_EXEC
+
+public class Entry {
+    public static void runPing(String host) {
+        // Coincidental oracle match — not a shell sink.
+        System.out.println("NYX_PWN_CMDI");
+        int x = host.length();
+    }
+}

tests/dynamic_fixtures/java/cmdi_negative.java

@@ -0,0 +1,20 @@
+// Command injection — negative fixture.
+// Safe: exec with args array; no shell; semicolons are inert.
+// Entry: Entry.runPing(String)  Cap: CODE_EXEC
+// Expected verdict: NotConfirmed
+
+import java.io.*;
+
+public class Entry {
+    public static void runPing(String host) throws Exception {
+        // Array form: each element is a literal argument — no shell expansion.
+        String[] cmd = {"echo", "hello", host};
+        Process p = Runtime.getRuntime().exec(cmd);
+        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        String line;
+        while ((line = reader.readLine()) != null) {
+            System.out.println(line);
+        }
+        p.waitFor();
+    }
+}

tests/dynamic_fixtures/java/cmdi_positive.java

@@ -0,0 +1,20 @@
+// Command injection — positive fixture.
+// Vulnerable: passes user input to /bin/sh -c via Runtime.exec.
+// Entry: Entry.runPing(String)  Cap: CODE_EXEC
+// Expected verdict: Confirmed ("; echo NYX_PWN_CMDI" echoes the marker)
+
+import java.io.*;
+
+public class Entry {
+    public static void runPing(String host) throws Exception {
+        System.out.print("__NYX_SINK_HIT__\n");
+        String[] cmd = {"/bin/sh", "-c", "echo hello " + host};
+        Process p = Runtime.getRuntime().exec(cmd);
+        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        String line;
+        while ((line = reader.readLine()) != null) {
+            System.out.println(line);
+        }
+        p.waitFor();
+    }
+}

tests/dynamic_fixtures/java/cmdi_unsupported.java

@@ -0,0 +1,11 @@
+// Command injection — unsupported fixture.
+// Entry is an instance method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+import java.io.*;
+
+public class Entry {
+    public void execute(String cmd) throws Exception {
+        Runtime.getRuntime().exec(new String[]{"/bin/sh", "-c", cmd});
+    }
+}

tests/dynamic_fixtures/java/fileio_adversarial.java

@@ -0,0 +1,13 @@
+// File I/O — adversarial collision fixture.
+// Prints "root:" unconditionally without reading any file
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: Entry.readFile(String)  Cap: FILE_IO
+
+public class Entry {
+    public static void readFile(String userPath) {
+        // Coincidental oracle match — not a file read sink.
+        System.out.println("root: present");
+        int x = userPath.length();
+    }
+}

tests/dynamic_fixtures/java/fileio_negative.java

@@ -0,0 +1,27 @@
+// File I/O — negative fixture.
+// Safe: normalizes path and checks it stays within the base directory.
+// Entry: Entry.readFile(String)  Cap: FILE_IO
+// Expected verdict: NotConfirmed
+
+import java.io.*;
+import java.nio.file.*;
+
+public class Entry {
+    private static final String BASE_DIR = "/var/data";
+
+    public static void readFile(String userPath) throws Exception {
+        Path base = Paths.get(BASE_DIR).toRealPath();
+        Path resolved = base.resolve(userPath).normalize();
+        if (!resolved.startsWith(base)) {
+            System.out.println("Access denied");
+            return;
+        }
+        try {
+            byte[] data = Files.readAllBytes(resolved);
+            int len = Math.min(data.length, 100);
+            System.out.write(data, 0, len);
+        } catch (IOException e) {
+            System.out.println("File not found");
+        }
+    }
+}

tests/dynamic_fixtures/java/fileio_positive.java

@@ -0,0 +1,20 @@
+// File I/O — positive fixture.
+// Vulnerable: reads file at user-controlled path without sanitization.
+// Entry: Entry.readFile(String)  Cap: FILE_IO
+// Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
+
+import java.io.*;
+import java.nio.file.*;
+
+public class Entry {
+    public static void readFile(String userPath) throws Exception {
+        Path filePath = Paths.get("/var/data", userPath);
+        System.out.print("__NYX_SINK_HIT__\n");
+        try {
+            String content = new String(Files.readAllBytes(filePath));
+            System.out.print(content);
+        } catch (IOException e) {
+            // silent
+        }
+    }
+}

tests/dynamic_fixtures/java/fileio_unsupported.java

@@ -0,0 +1,13 @@
+// File I/O — unsupported fixture.
+// Entry is an instance method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+import java.io.*;
+import java.nio.file.*;
+
+public class Entry {
+    public void serve(String path) throws Exception {
+        byte[] data = Files.readAllBytes(Paths.get(path));
+        System.out.write(data);
+    }
+}

tests/dynamic_fixtures/java/sqli_adversarial.java

@@ -0,0 +1,13 @@
+// SQL injection — adversarial collision fixture.
+// Prints NYX_SQL_CONFIRMED unconditionally without reaching a SQL sink
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: Entry.login(String)  Cap: SQL_QUERY
+
+public class Entry {
+    public static void login(String username) {
+        // Coincidental oracle match — not a SQL sink.
+        System.out.println("NYX_SQL_CONFIRMED");
+        int x = username.length();
+    }
+}

tests/dynamic_fixtures/java/sqli_negative.java

@@ -0,0 +1,12 @@
+// SQL injection — negative fixture.
+// Safe: uses a parameterized query; payload is a bound argument.
+// Entry: Entry.login(String)  Cap: SQL_QUERY
+// Expected verdict: NotConfirmed
+
+public class Entry {
+    public static void login(String username) {
+        String template = "SELECT name FROM users WHERE name = ?";
+        // Simulate parameterized execution: template is fixed.
+        System.out.println("Executing: " + template + " param-len=" + username.length());
+    }
+}

tests/dynamic_fixtures/java/sqli_positive.java

@@ -0,0 +1,13 @@
+// SQL injection — positive fixture.
+// Vulnerable: directly concatenates user input into SQL query string.
+// Entry: Entry.login(String)  Cap: SQL_QUERY
+// Expected verdict: Confirmed (UNION payload echoes NYX_SQL_CONFIRMED)
+
+public class Entry {
+    public static void login(String username) {
+        String query = "SELECT name FROM users WHERE name='" + username + "'";
+        System.out.print("__NYX_SINK_HIT__\n");
+        // Error-based echo: output the query so UNION payload is visible.
+        System.out.println("DB query: " + query);
+    }
+}

tests/dynamic_fixtures/java/sqli_unsupported.java

@@ -0,0 +1,11 @@
+// SQL injection — unsupported fixture.
+// Entry is an instance method rather than a static method.
+// Test sets confidence = Low to get Unsupported(ConfidenceTooLow).
+// Expected verdict: Unsupported
+
+public class Entry {
+    public void findUser(String name) {
+        String query = "SELECT * FROM users WHERE name='" + name + "'";
+        System.out.println(query);
+    }
+}

tests/dynamic_fixtures/java/ssrf_adversarial.java

@@ -0,0 +1,13 @@
+// SSRF — adversarial collision fixture.
+// Prints "daemon:" unconditionally without making any HTTP request
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: Entry.fetchUrl(String)  Cap: SSRF
+
+public class Entry {
+    public static void fetchUrl(String targetUrl) {
+        // Coincidental oracle match — not an HTTP sink.
+        System.out.println("daemon: present");
+        int x = targetUrl.length();
+    }
+}

tests/dynamic_fixtures/java/ssrf_negative.java

@@ -0,0 +1,27 @@
+// SSRF — negative fixture.
+// Safe: only allows http/https scheme; file:// rejected.
+// Entry: Entry.fetchUrl(String)  Cap: SSRF
+// Expected verdict: NotConfirmed
+
+import java.io.*;
+import java.net.*;
+
+public class Entry {
+    public static void fetchUrl(String targetUrl) throws Exception {
+        URL url = new URL(targetUrl);
+        String proto = url.getProtocol();
+        if (!proto.equals("http") && !proto.equals("https")) {
+            System.out.println("Scheme not allowed: " + proto);
+            return;
+        }
+        try (InputStream in = url.openStream();
+             BufferedReader reader = new BufferedReader(new InputStreamReader(in))) {
+            String line;
+            while ((line = reader.readLine()) != null) {
+                System.out.println(line.substring(0, Math.min(line.length(), 64)));
+            }
+        } catch (Exception e) {
+            System.out.println("Connection error");
+        }
+    }
+}

tests/dynamic_fixtures/java/ssrf_positive.java

@@ -0,0 +1,24 @@
+// SSRF — positive fixture.
+// Vulnerable: makes a request to a user-controlled URL.
+// Entry: Entry.fetchUrl(String)  Cap: SSRF
+// Expected verdict: Confirmed (file:///etc/passwd → "daemon:" in output)
+// Note: Java URL supports file:// scheme natively.
+
+import java.io.*;
+import java.net.*;
+
+public class Entry {
+    public static void fetchUrl(String targetUrl) throws Exception {
+        System.out.print("__NYX_SINK_HIT__\n");
+        URL url = new URL(targetUrl);
+        try (InputStream in = url.openStream();
+             BufferedReader reader = new BufferedReader(new InputStreamReader(in))) {
+            String line;
+            while ((line = reader.readLine()) != null) {
+                System.out.println(line);
+            }
+        } catch (Exception e) {
+            // silent
+        }
+    }
+}

tests/dynamic_fixtures/java/ssrf_unsupported.java

@@ -0,0 +1,12 @@
+// SSRF — unsupported fixture.
+// Entry is an instance method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+import java.io.*;
+import java.net.*;
+
+public class Entry {
+    public void fetch(String url) throws Exception {
+        new URL(url).openStream().close();
+    }
+}

tests/dynamic_fixtures/java/xss_adversarial.java

@@ -0,0 +1,13 @@
+// XSS — adversarial collision fixture.
+// Prints the XSS oracle marker unconditionally without rendering any template
+// and without emitting __NYX_SINK_HIT__.
+// Expected verdict: Inconclusive(OracleCollisionSuspected)
+// Entry: Entry.renderPage(String)  Cap: HTML_ESCAPE
+
+public class Entry {
+    public static void renderPage(String userInput) {
+        // Coincidental oracle match — not an HTML render sink.
+        System.out.println("<script>NYX_XSS_CONFIRMED</script>");
+        int x = userInput.length();
+    }
+}

tests/dynamic_fixtures/java/xss_negative.java

@@ -0,0 +1,19 @@
+// XSS — negative fixture.
+// Safe: HTML-encodes special characters before output.
+// Entry: Entry.renderPage(String)  Cap: HTML_ESCAPE
+// Expected verdict: NotConfirmed
+
+public class Entry {
+    private static String escapeHtml(String s) {
+        return s.replace("&", "&")
+                .replace("<", "&lt;")
+                .replace(">", "&gt;")
+                .replace("\"", "&quot;")
+                .replace("'", "&#39;");
+    }
+
+    public static void renderPage(String userInput) {
+        String safe = escapeHtml(userInput);
+        System.out.print("<html><body>" + safe + "</body></html>\n");
+    }
+}

tests/dynamic_fixtures/java/xss_positive.java

@@ -0,0 +1,11 @@
+// XSS — positive fixture.
+// Vulnerable: echoes raw user input into HTML output without escaping.
+// Entry: Entry.renderPage(String)  Cap: HTML_ESCAPE
+// Expected verdict: Confirmed (<script>NYX_XSS_CONFIRMED</script> echoed)
+
+public class Entry {
+    public static void renderPage(String userInput) {
+        System.out.print("__NYX_SINK_HIT__\n");
+        System.out.print("<html><body>" + userInput + "</body></html>\n");
+    }
+}

tests/dynamic_fixtures/java/xss_unsupported.java

@@ -0,0 +1,9 @@
+// XSS — unsupported fixture.
+// Entry is an instance method; test sets confidence = Low.
+// Expected verdict: Unsupported
+
+public class Entry {
+    public void render(String input) {
+        System.out.print("<html><body>" + input + "</body></html>\n");
+    }
+}