feat(dynamic): enhance corpus sync script with improved payload parsing, registry checks, and expanded validation logic

tests/dynamic_fixtures/java/fileio_positive.java

@@ -1,18 +1,23 @@
 // File I/O — positive fixture.
 // Vulnerable: reads file at user-controlled path without sanitization.
 // Entry: Entry.readFile(String)  Cap: FILE_IO
-// Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
+// Expected verdict: Confirmed.
 //
-// Base directory is `/tmp` rather than `/var/data` so the harness can resolve
-// the traversal payload on both Linux and macOS hosts (`/var/data` is absent
-// on macOS, which makes `Files.readAllBytes` throw before reaching the file).
+// The harness plants a canary file (`nyx_pt_canary`, whose CONTENT is the
+// collision-resistant marker) at the workdir root and an empty `testfiles/`
+// directory beside it. Reading `testfiles/ + userPath` without normalising is
+// the traversal sink: the vuln payload `../nyx_pt_canary` escapes `testfiles/`
+// back to the planted canary, so its marker content reaches stdout.
 
 import java.io.*;
 import java.nio.file.*;
 
 public class Entry {
     public static void readFile(String userPath) throws Exception {
-        Path filePath = Paths.get("/tmp", userPath);
+        // Base directory the harness plants the canary one level above.
+        Path testfileDir = Paths.get(System.getProperty("user.dir"), "testfiles");
+        // Vulnerable: no normalisation / containment check on `userPath`.
+        Path filePath = testfileDir.resolve(userPath);
         System.out.print("__NYX_SINK_HIT__\n");
         try {
             String content = new String(Files.readAllBytes(filePath));