apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Critical bug fixes and recall improvements (#68)

Browse source
This commit is contained in:
Eli Peter 2026-05-11 12:42:39 -04:00 committed by GitHub
parent 7d0e7320e2
commit 55247b7fcd
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
352 changed files with 60069 additions and 900 deletions
Download patch file Download diff file Expand all files Collapse all files

19
tests/fixtures/realistic/ssrf/SsrfJavaSearchParams.java vendored Normal file
View file

@ -0,0 +1,19 @@
// Phase 14 fixture (Java search-params positive) attacker-controlled
// URL string concatenated with a query-parameter list. The
// `OkHttpClient.newCall(Request)` SSRF sink (Phase 14 addition) fires
// when the chained request builder smears the URL through
// `Request.Builder().url(full).build()` into the call.
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Call;
import javax.servlet.http.HttpServletRequest;
public class SsrfJavaSearchParams {
public Call proxy(HttpServletRequest req) throws Exception {
String target = req.getParameter("target");
String full = target + "?q=" + req.getParameter("q");
OkHttpClient client = new OkHttpClient();
Request httpReq = new Request.Builder().url(full).build();
return client.newCall(httpReq);
}
}