feat(dynamic): enhance corpus sync script with improved payload parsing, registry checks, and expanded validation logic

tests/dynamic_fixtures/java/fileio_adversarial.java

@@ -1,13 +1,16 @@
 // File I/O — adversarial collision fixture.
-// Prints "root:" unconditionally without reading any file
-// and without emitting __NYX_SINK_HIT__.
+// Prints the path-traversal canary marker unconditionally without reading any
+// file and without emitting __NYX_SINK_HIT__, so the oracle observes a marker
+// hit with no sink-reachability.
 // Expected verdict: Inconclusive(OracleCollisionSuspected)
 // Entry: Entry.readFile(String)  Cap: FILE_IO
 
 public class Entry {
     public static void readFile(String userPath) {
-        // Coincidental oracle match — not a file read sink.
-        System.out.println("root: present");
+        // Coincidental oracle match — emits the marker string but is not a
+        // file-read sink and never reaches the planted canary.  Must match the
+        // CANARY_MARKER in src/dynamic/corpus/path_trav/java.rs.
+        System.out.println("NYX_PATHTRAVERSAL_R34D_a7f3c1d8 present");
         int x = userPath.length();
     }
 }

tests/dynamic_fixtures/java/fileio_negative.java

@@ -1,5 +1,6 @@
 // File I/O — negative fixture.
-// Safe: normalizes path and checks it stays within the base directory.
+// Safe: normalizes the path and checks it stays within the base directory, so
+// the traversal payload cannot escape `testfiles/` to reach the planted canary.
 // Entry: Entry.readFile(String)  Cap: FILE_IO
 // Expected verdict: NotConfirmed
 
@@ -7,13 +8,10 @@ import java.io.*;
 import java.nio.file.*;
 
 public class Entry {
-    // `/tmp` exists on Linux and macOS so `toRealPath()` resolves cleanly on
-    // both. The traversal payload still escapes the base (which is the point
-    // of the safe-path check) so the verdict stays NotConfirmed.
-    private static final String BASE_DIR = "/tmp";
-
     public static void readFile(String userPath) throws Exception {
-        Path base = Paths.get(BASE_DIR).toRealPath();
+        // Same base the harness plants the canary one level above; the
+        // containment check is what makes this safe.
+        Path base = Paths.get(System.getProperty("user.dir"), "testfiles").toRealPath();
         Path resolved = base.resolve(userPath).normalize();
         if (!resolved.startsWith(base)) {
             System.out.println("Access denied");

tests/dynamic_fixtures/java/fileio_positive.java

@@ -1,18 +1,23 @@
 // File I/O — positive fixture.
 // Vulnerable: reads file at user-controlled path without sanitization.
 // Entry: Entry.readFile(String)  Cap: FILE_IO
-// Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
+// Expected verdict: Confirmed.
 //
-// Base directory is `/tmp` rather than `/var/data` so the harness can resolve
-// the traversal payload on both Linux and macOS hosts (`/var/data` is absent
-// on macOS, which makes `Files.readAllBytes` throw before reaching the file).
+// The harness plants a canary file (`nyx_pt_canary`, whose CONTENT is the
+// collision-resistant marker) at the workdir root and an empty `testfiles/`
+// directory beside it. Reading `testfiles/ + userPath` without normalising is
+// the traversal sink: the vuln payload `../nyx_pt_canary` escapes `testfiles/`
+// back to the planted canary, so its marker content reaches stdout.
 
 import java.io.*;
 import java.nio.file.*;
 
 public class Entry {
     public static void readFile(String userPath) throws Exception {
-        Path filePath = Paths.get("/tmp", userPath);
+        // Base directory the harness plants the canary one level above.
+        Path testfileDir = Paths.get(System.getProperty("user.dir"), "testfiles");
+        // Vulnerable: no normalisation / containment check on `userPath`.
+        Path filePath = testfileDir.resolve(userPath);
         System.out.print("__NYX_SINK_HIT__\n");
         try {
             String content = new String(Files.readAllBytes(filePath));

tests/dynamic_fixtures/java/servlet_doget/Benign.java

@@ -17,7 +17,7 @@ public class Benign {
         BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line;
         while ((line = reader.readLine()) != null) {
-            System.out.println(line);
+            resp.write(line + "\n");
         }
         p.waitFor();
     }

tests/dynamic_fixtures/java/servlet_doget/Vuln.java

@@ -17,7 +17,7 @@ public class Vuln {
         BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line;
         while ((line = reader.readLine()) != null) {
-            System.out.println(line);
+            resp.write(line + "\n");
         }
         p.waitFor();
     }

tests/dynamic_fixtures/java/servlet_dopost/Benign.java

@@ -13,7 +13,7 @@ public class Benign {
         BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line;
         while ((line = reader.readLine()) != null) {
-            System.out.println(line);
+            resp.write(line + "\n");
         }
         p.waitFor();
     }

tests/dynamic_fixtures/java/servlet_dopost/Vuln.java

@@ -16,7 +16,7 @@ public class Vuln {
         BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
         String line;
         while ((line = reader.readLine()) != null) {
-            System.out.println(line);
+            resp.write(line + "\n");
         }
         p.waitFor();
     }