apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-12 19:55:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

[pitboss] phase 14: Track L.12 — Spring / Quarkus / Micronaut / Jakarta Servlet adapters

Browse source
This commit is contained in:
pitboss 2026-05-18 13:46:43 -05:00
parent 67685947ab
commit 78023ccf38
47 changed files with 1711 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

2
tests/common/fixture_harness.rs
View file

@ -492,6 +492,7 @@ pub fn run_shape_fixture_lang(
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
// Phase 14: Java shape fixtures bundle annotation / type stubs as
@ -787,6 +788,7 @@ pub fn run_harness_snapshot_lang(
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
let harness = lang_emit::emit(&spec).expect("emitter must produce a harness");

2
tests/deserialize_corpus.rs
View file

@ -44,6 +44,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -345,6 +346,7 @@ mod e2e_phase_03 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

30
tests/dynamic_fixtures/java/micronaut_route/Benign.java Normal file
View file

@ -0,0 +1,30 @@
// Phase 14 Micronaut `@Controller`, benign.
//
// Same shape as the vuln but echoes a constant string instead of
// concatenating the path variable into a shell command.
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import java.io.BufferedReader;
import java.io.InputStreamReader;
@Controller("/run")
public class Benign {
@Get("/{id}")
public String show(String id) throws Exception {
System.out.print("__NYX_SINK_HIT__\n");
String[] cmd = {"/bin/sh", "-c", "echo hello"};
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
StringBuilder out = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
out.append(line);
out.append('\n');
System.out.println(line);
}
p.waitFor();
return out.toString();
}
}

17
tests/dynamic_fixtures/java/micronaut_route/Controller.java Normal file
View file

@ -0,0 +1,17 @@
// Phase 14 fixture stub minimal Micronaut `@Controller`.
// Lives in `io.micronaut.http.annotation` so the fixture's
// `import io.micronaut.http.annotation.Controller;` compiles under
// plain javac (no Micronaut Maven dep required).
package io.micronaut.http.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
public @interface Controller {
String value() default "";
}

14
tests/dynamic_fixtures/java/micronaut_route/Get.java Normal file
View file

@ -0,0 +1,14 @@
// Phase 14 fixture stub minimal Micronaut `@Get`.
package io.micronaut.http.annotation;
import java.lang.annotation.ElementType;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.METHOD)
public @interface Get {
String value() default "";
}

32
tests/dynamic_fixtures/java/micronaut_route/Vuln.java Normal file
View file

@ -0,0 +1,32 @@
// Phase 14 Micronaut `@Controller`, vulnerable.
//
// `@Controller("/run")` on the class + `@Get("/{id}")` on the handler
// matches the Phase 14 [`JavaShape::MicronautRoute`]. The harness
// invokes `show(payload)` via reflection.
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import java.io.BufferedReader;
import java.io.InputStreamReader;
@Controller("/run")
public class Vuln {
@Get("/{id}")
public String show(String id) throws Exception {
System.out.print("__NYX_SINK_HIT__\n");
if (id == null) id = "";
String[] cmd = {"/bin/sh", "-c", "echo hello " + id};
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
StringBuilder out = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
out.append(line);
out.append('\n');
System.out.println(line);
}
p.waitFor();
return out.toString();
}
}

18
tests/dynamic_fixtures/java/micronaut_route/pom.xml Normal file
View file

@ -0,0 +1,18 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0">
<modelVersion>4.0.0</modelVersion>
<groupId>nyx</groupId>
<artifactId>micronaut-route-fixture</artifactId>
<version>0.0.1</version>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
</properties>
<dependencies>
<dependency>
<groupId>io.micronaut</groupId>
<artifactId>micronaut-http</artifactId>
<version>4.4.0</version>
</dependency>
</dependencies>
</project>

1
tests/env_capture_flask.rs
View file

@ -59,6 +59,7 @@ fn flask_spec(entry_rel: &str) -> HarnessSpec {
derivation: SpecDerivationStrategy::FromCallgraphEntry,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}

2
tests/header_injection_corpus.rs
View file

@ -57,6 +57,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -543,6 +544,7 @@ mod e2e_phase_08 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

1
tests/java_fixtures.rs
View file

@ -745,6 +745,7 @@ public class App {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
let captured = capture_project_dependencies(project_root.path(), &spec);

189
tests/java_frameworks_corpus.rs Normal file
View file

@ -0,0 +1,189 @@
//! Phase 14 (Track L.12) — Java framework adapter integration tests.
//!
//! Each test drives `detect_binding` end-to-end against a fixture
//! file under `tests/dynamic_fixtures/java/`, asserting that the
//! right adapter fires, the binding carries `EntryKind::HttpRoute`,
//! and the `RouteShape` matches the brief's contract. Benign
//! fixtures must produce the same adapter binding shape as the vuln
//! fixtures — the adapter only models the route, the differential
//! outcome of a verifier run is what distinguishes the two.
//!
//! The Spring fixture lives under `spring_controller/`, the Quarkus
//! fixture under `quarkus_route/`, the Servlet doGet/doPost
//! fixtures under `servlet_doget/` and `servlet_dopost/`, and the
//! Micronaut fixture under `micronaut_route/` (introduced in this
//! phase).
#![cfg(feature = "dynamic")]
use nyx_scanner::dynamic::framework::{detect_binding, HttpMethod, ParamSource};
use nyx_scanner::evidence::EntryKind;
use nyx_scanner::summary::FuncSummary;
use nyx_scanner::symbol::Lang;
fn parse_java(src: &[u8]) -> tree_sitter::Tree {
let mut parser = tree_sitter::Parser::new();
let lang = tree_sitter::Language::from(tree_sitter_java::LANGUAGE);
parser.set_language(&lang).unwrap();
parser.parse(src, None).unwrap()
}
fn summary_for(name: &str, file: &str) -> FuncSummary {
FuncSummary {
name: name.into(),
file_path: file.into(),
lang: "java".into(),
..Default::default()
}
}
#[test]
fn spring_vuln_fixture_binds_route() {
let path = "tests/dynamic_fixtures/java/spring_controller/Vuln.java";
let bytes = std::fs::read(path).expect("spring vuln fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("run", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("spring adapter must bind");
assert_eq!(binding.adapter, "java-spring");
assert_eq!(binding.kind, EntryKind::HttpRoute);
let route = binding.route.as_ref().expect("route");
assert_eq!(route.path, "/run");
assert_eq!(route.method, HttpMethod::GET);
}
#[test]
fn spring_benign_fixture_binds_same_route_shape() {
let path = "tests/dynamic_fixtures/java/spring_controller/Benign.java";
let bytes = std::fs::read(path).expect("spring benign fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("run", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("spring adapter must bind benign fixture");
assert_eq!(binding.adapter, "java-spring");
let route = binding.route.as_ref().expect("route");
assert_eq!(route.path, "/run");
assert_eq!(route.method, HttpMethod::GET);
}
#[test]
fn quarkus_vuln_fixture_binds_route() {
let path = "tests/dynamic_fixtures/java/quarkus_route/Vuln.java";
let bytes = std::fs::read(path).expect("quarkus vuln fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("run", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("quarkus adapter must bind");
assert_eq!(binding.adapter, "java-quarkus");
let route = binding.route.as_ref().expect("route");
assert_eq!(route.path, "/run");
assert_eq!(route.method, HttpMethod::GET);
}
#[test]
fn quarkus_benign_fixture_binds_same_route_shape() {
let path = "tests/dynamic_fixtures/java/quarkus_route/Benign.java";
let bytes = std::fs::read(path).expect("quarkus benign fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("run", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("quarkus adapter must bind benign fixture");
assert_eq!(binding.adapter, "java-quarkus");
let route = binding.route.as_ref().expect("route");
assert_eq!(route.path, "/run");
assert_eq!(route.method, HttpMethod::GET);
}
#[test]
fn micronaut_vuln_fixture_binds_route_with_path_segment() {
let path = "tests/dynamic_fixtures/java/micronaut_route/Vuln.java";
let bytes = std::fs::read(path).expect("micronaut vuln fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("show", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("micronaut adapter must bind");
assert_eq!(binding.adapter, "java-micronaut");
let route = binding.route.as_ref().expect("route");
assert_eq!(route.path, "/run/{id}");
assert_eq!(route.method, HttpMethod::GET);
let id_binding = binding
.request_params
.iter()
.find(|p| p.name == "id")
.expect("id formal");
assert!(matches!(id_binding.source, ParamSource::PathSegment(_)));
}
#[test]
fn micronaut_benign_fixture_binds_same_route_shape() {
let path = "tests/dynamic_fixtures/java/micronaut_route/Benign.java";
let bytes = std::fs::read(path).expect("micronaut benign fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("show", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("micronaut adapter must bind benign fixture");
assert_eq!(binding.adapter, "java-micronaut");
let route = binding.route.as_ref().expect("route");
assert_eq!(route.path, "/run/{id}");
assert_eq!(route.method, HttpMethod::GET);
}
#[test]
fn servlet_doget_vuln_fixture_binds_route() {
let path = "tests/dynamic_fixtures/java/servlet_doget/Vuln.java";
let bytes = std::fs::read(path).expect("servlet doGet vuln fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("doGet", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("servlet adapter must bind");
assert_eq!(binding.adapter, "java-servlet");
let route = binding.route.as_ref().expect("route");
assert_eq!(route.method, HttpMethod::GET);
// Default-package fixture has no `@WebServlet("/x")`, so the
// path defaults to `"/"`.
assert_eq!(route.path, "/");
// The (req, resp) pair should classify as Implicit.
assert!(binding
.request_params
.iter()
.all(|p| matches!(p.source, ParamSource::Implicit)));
}
#[test]
fn servlet_dopost_vuln_fixture_binds_route() {
let path = "tests/dynamic_fixtures/java/servlet_dopost/Vuln.java";
let bytes = std::fs::read(path).expect("servlet doPost vuln fixture exists");
let tree = parse_java(&bytes);
let summary = summary_for("doPost", path);
let binding = detect_binding(&summary, tree.root_node(), &bytes, Lang::Java)
.expect("servlet adapter must bind");
assert_eq!(binding.adapter, "java-servlet");
assert_eq!(binding.route.as_ref().unwrap().method, HttpMethod::POST);
}
#[test]
fn quarkus_adapter_does_not_fire_on_spring_file() {
// Regression: Spring sources should not pull the Quarkus adapter
// even when they happen to expose a JAX-RS-ish method name.
// Phase 14 disambiguator: Quarkus requires a quarkus / jakarta.ws.rs
// / javax.ws.rs / @Path stanza in the source.
let src: &[u8] = b"@RestController\n@RequestMapping(\"/api\")\npublic class C { @GetMapping(\"/x\") public String x() { return \"\"; } }\n";
let tree = parse_java(src);
let summary = summary_for("x", "phantom.java");
let binding =
detect_binding(&summary, tree.root_node(), src, Lang::Java).expect("adapter fires");
assert_eq!(binding.adapter, "java-spring");
}
#[test]
fn micronaut_adapter_disambiguates_against_spring_controller() {
// Both Spring and Micronaut use `@Controller`. Disambiguate via
// the `io.micronaut` import + the `@Get` (mixed-case) verb
// annotation.
let src: &[u8] = b"import io.micronaut.http.annotation.Controller;\nimport io.micronaut.http.annotation.Get;\n@Controller(\"/x\")\npublic class C { @Get(\"/y\") public String y() { return \"\"; } }\n";
let tree = parse_java(src);
let summary = summary_for("y", "phantom.java");
let binding =
detect_binding(&summary, tree.root_node(), src, Lang::Java).expect("adapter fires");
assert_eq!(binding.adapter, "java-micronaut");
}

2
tests/ldap_corpus.rs
View file

@ -49,6 +49,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -380,6 +381,7 @@ mod e2e_phase_06 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

2
tests/open_redirect_corpus.rs
View file

@ -57,6 +57,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -509,6 +510,7 @@ mod e2e_phase_09 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

1
tests/oracle_sink_crash.rs
View file

@ -365,6 +365,7 @@ mod e2e_phase_08 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

2
tests/prototype_pollution_corpus.rs
View file

@ -49,6 +49,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -478,6 +479,7 @@ mod e2e_phase_10 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

6
tests/repro_determinism.rs
View file

@ -36,6 +36,7 @@ mod repro_determinism_tests {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -174,6 +175,7 @@ mod repro_determinism_tests {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -307,6 +309,7 @@ fn main() {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -363,6 +366,7 @@ fn main() {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -419,6 +423,7 @@ fn main() {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -475,6 +480,7 @@ fn main() {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}

1
tests/repro_fixture_bundles.rs
View file

@ -98,6 +98,7 @@ fn flask_eval_spec() -> HarnessSpec {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}

1
tests/repro_hermetic.rs
View file

@ -55,6 +55,7 @@ mod repro_hermetic_tests {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}

2
tests/ssti_corpus.rs
View file

@ -52,6 +52,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -404,6 +405,7 @@ mod e2e_phase_04 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

1
tests/telemetry_schema.rs
View file

@ -42,6 +42,7 @@ fn make_spec(hash: &str) -> HarnessSpec {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}

2
tests/xpath_corpus.rs
View file

@ -55,6 +55,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -477,6 +478,7 @@ mod e2e_phase_07 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)

2
tests/xxe_corpus.rs
View file

@ -45,6 +45,7 @@ fn make_spec(lang: Lang, entry_file: &str, entry_name: &str) -> HarnessSpec {
derivation: nyx_scanner::dynamic::spec::SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
}
}
@ -408,6 +409,7 @@ mod e2e_phase_05 {
derivation: SpecDerivationStrategy::FromFlowSteps,
stubs_required: vec![],
framework: None,
java_toolchain: nyx_scanner::dynamic::spec::JavaToolchain::default(),
};
(spec, tmp)