refactor(dynamic): enhance path resolution, telemetry, and file handling for better compatibility and clarity

2026-06-09 19:45:13 +02:00 · 2026-05-14 02:37:01 -05:00 · 2026-05-14 02:37:01 -05:00 · 8211d4fd47
commit 8211d4fd47
parent 8abb023dd0
12 changed files with 217 additions and 39 deletions
--- a/tests/dynamic_fixtures/java/cmdi_negative.java
+++ b/tests/dynamic_fixtures/java/cmdi_negative.java
@ -1,14 +1,21 @@
 // Command injection — negative fixture.
-// Safe: exec with args array; no shell; semicolons are inert.
+// Safe: exec with args array; no shell; injected metacharacters are inert.
 // Entry: Entry.runPing(String)  Cap: CODE_EXEC
 // Expected verdict: NotConfirmed
+//
+// `id` ignores extra positional args (treats them as usernames it can't find
+// and writes the "no such user" error to stderr, not stdout). Switching from
+// `echo` keeps the array-exec demonstration intact while ensuring the
+// vuln-payload marker can never leak into the stdout stream the oracle reads.

 import java.io.*;

 public class Entry {
    public static void runPing(String host) throws Exception {
+        // Sink-reachability probe: we did reach the exec call site.
+        System.out.print("__NYX_SINK_HIT__\n");
        // Array form: each element is a literal argument — no shell expansion.
-        String[] cmd = {"echo", "hello", host};
+        String[] cmd = {"id", host};
        Process p = Runtime.getRuntime().exec(cmd);
        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
        String line;
--- a/tests/dynamic_fixtures/java/fileio_negative.java
+++ b/tests/dynamic_fixtures/java/fileio_negative.java
@ -7,7 +7,10 @@ import java.io.*;
 import java.nio.file.*;

 public class Entry {
-    private static final String BASE_DIR = "/var/data";
+    // `/tmp` exists on Linux and macOS so `toRealPath()` resolves cleanly on
+    // both. The traversal payload still escapes the base (which is the point
+    // of the safe-path check) so the verdict stays NotConfirmed.
+    private static final String BASE_DIR = "/tmp";

    public static void readFile(String userPath) throws Exception {
        Path base = Paths.get(BASE_DIR).toRealPath();
--- a/tests/dynamic_fixtures/java/fileio_positive.java
+++ b/tests/dynamic_fixtures/java/fileio_positive.java
@ -2,13 +2,17 @@
 // Vulnerable: reads file at user-controlled path without sanitization.
 // Entry: Entry.readFile(String)  Cap: FILE_IO
 // Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
+//
+// Base directory is `/tmp` rather than `/var/data` so the harness can resolve
+// the traversal payload on both Linux and macOS hosts (`/var/data` is absent
+// on macOS, which makes `Files.readAllBytes` throw before reaching the file).

 import java.io.*;
 import java.nio.file.*;

 public class Entry {
    public static void readFile(String userPath) throws Exception {
-        Path filePath = Paths.get("/var/data", userPath);
+        Path filePath = Paths.get("/tmp", userPath);
        System.out.print("__NYX_SINK_HIT__\n");
        try {
            String content = new String(Files.readAllBytes(filePath));