refactor(dynamic): replace reflective invocation with route replay logic for Micronaut and Quarkus, remove annotation stubs, and enhance runtime path binding

2026-06-09 19:45:13 +02:00 · 2026-05-26 11:38:12 -05:00 · 2026-05-26 11:38:12 -05:00 · 41c7b73575
commit 41c7b73575
parent 61bfc0cf96
26 changed files with 1256 additions and 224 deletions
--- a/tests/dynamic_fixtures/java/micronaut_route/Benign.java
+++ b/tests/dynamic_fixtures/java/micronaut_route/Benign.java
@ -1,4 +1,4 @@
-// Phase 14 — Micronaut `@Controller`, benign.
+// Micronaut `@Controller`, benign.
 //
 // Same shape as the vuln but echoes a constant string instead of
 // concatenating the path variable into a shell command.
--- a/tests/dynamic_fixtures/java/micronaut_route/Controller.java
+++ b/tests/dynamic_fixtures/java/micronaut_route/Controller.java
@ -1,17 +0,0 @@
-// Phase 14 fixture stub — minimal Micronaut `@Controller`.
-// Lives in `io.micronaut.http.annotation` so the fixture's
-// `import io.micronaut.http.annotation.Controller;` compiles under
-// plain javac (no Micronaut Maven dep required).
-
-package io.micronaut.http.annotation;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target(ElementType.TYPE)
-public @interface Controller {
-    String value() default "";
-}
--- a/tests/dynamic_fixtures/java/micronaut_route/Get.java
+++ b/tests/dynamic_fixtures/java/micronaut_route/Get.java
@ -1,14 +0,0 @@
-// Phase 14 fixture stub — minimal Micronaut `@Get`.
-
-package io.micronaut.http.annotation;
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target(ElementType.METHOD)
-public @interface Get {
-    String value() default "";
-}
--- a/tests/dynamic_fixtures/java/micronaut_route/Vuln.java
+++ b/tests/dynamic_fixtures/java/micronaut_route/Vuln.java
@ -1,8 +1,9 @@
-// Phase 14 — Micronaut `@Controller`, vulnerable.
+// Micronaut `@Controller`, vulnerable.
 //
 // `@Controller("/run")` on the class + `@Get("/{id}")` on the handler
-// matches the Phase 14 [`JavaShape::MicronautRoute`].  The harness
-// invokes `show(payload)` via reflection.
+// matches `JavaShape::MicronautRoute`. The harness keeps the real
+// Micronaut annotations on the classpath and replays the route through
+// those annotations.

 import io.micronaut.http.annotation.Controller;
 import io.micronaut.http.annotation.Get;
--- a/tests/dynamic_fixtures/java/micronaut_route/pom.xml
+++ b/tests/dynamic_fixtures/java/micronaut_route/pom.xml
@ -14,5 +14,10 @@
      <artifactId>micronaut-http</artifactId>
      <version>4.4.0</version>
    </dependency>
+    <dependency>
+      <groupId>io.micronaut</groupId>
+      <artifactId>micronaut-core</artifactId>
+      <version>4.4.0</version>
+    </dependency>
  </dependencies>
 </project>
--- a/tests/dynamic_fixtures/java/quarkus_route/Benign.java
+++ b/tests/dynamic_fixtures/java/quarkus_route/Benign.java
@ -1,6 +1,8 @@
-// Phase 14 — Quarkus reactive route, benign.
+// Quarkus reactive route, benign.

-// import io.quarkus.runtime.Quarkus;
+import io.quarkus.runtime.Quarkus;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;

 import java.io.BufferedReader;
 import java.io.InputStreamReader;
--- a/tests/dynamic_fixtures/java/quarkus_route/GET.java
+++ b/tests/dynamic_fixtures/java/quarkus_route/GET.java
@ -1,11 +0,0 @@
-// Phase 14 fixture stub — minimal `@GET` Jakarta REST annotation.
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target(ElementType.METHOD)
-public @interface GET {
-}
--- a/tests/dynamic_fixtures/java/quarkus_route/Path.java
+++ b/tests/dynamic_fixtures/java/quarkus_route/Path.java
@ -1,15 +0,0 @@
-// Phase 14 fixture stub — minimal `@Path` annotation (Jakarta REST).
-// Lives in the default package; the fixture imports the symbol as
-// plain `@Path` so javac is happy without a Quarkus / Jakarta REST
-// Maven dep.
-
-import java.lang.annotation.ElementType;
-import java.lang.annotation.Retention;
-import java.lang.annotation.RetentionPolicy;
-import java.lang.annotation.Target;
-
-@Retention(RetentionPolicy.RUNTIME)
-@Target({ElementType.TYPE, ElementType.METHOD})
-public @interface Path {
-    String value() default "";
-}
--- a/tests/dynamic_fixtures/java/quarkus_route/Vuln.java
+++ b/tests/dynamic_fixtures/java/quarkus_route/Vuln.java
@ -1,10 +1,10 @@
-// Phase 14 — Quarkus reactive route, vulnerable.
-//
-// `@Path("/run")` on the type + `@GET` on the handler matches the
-// Phase 14 [`JavaShape::detect`] for Quarkus.  The harness invokes
-// `run(payload)` via reflection.
+// Quarkus reactive route, vulnerable. The harness keeps the real
+// Jakarta REST annotations on the classpath and replays the route
+// through those annotations.

-// import io.quarkus.runtime.Quarkus;
+import io.quarkus.runtime.Quarkus;
+import jakarta.ws.rs.GET;
+import jakarta.ws.rs.Path;

 import java.io.BufferedReader;
 import java.io.InputStreamReader;
--- a/tests/dynamic_fixtures/java/quarkus_route/pom.xml
+++ b/tests/dynamic_fixtures/java/quarkus_route/pom.xml
@ -14,5 +14,10 @@
      <artifactId>quarkus-resteasy-reactive</artifactId>
      <version>3.8.3</version>
    </dependency>
+    <dependency>
+      <groupId>jakarta.ws.rs</groupId>
+      <artifactId>jakarta.ws.rs-api</artifactId>
+      <version>3.1.0</version>
+    </dependency>
  </dependencies>
 </project>