Dynamic (#77)

2026-06-09 19:45:13 +02:00 · 2026-06-05 10:16:30 -05:00 · 2026-06-05 10:16:30 -05:00 · 991c84a1eb
commit 991c84a1eb
parent 55247b7fcd
1464 changed files with 225448 additions and 1985 deletions
--- a/tests/dynamic_fixtures/class_method/java/Benign.java
+++ b/tests/dynamic_fixtures/class_method/java/Benign.java
@ -0,0 +1,16 @@
+// Phase 19 (Track M.1) — class-method benign control for Java.
+//
+// The payload is passed as an argv element to true(1), so no shell parses or
+// echoes marker bytes.
+public class Benign {
+    public static class UserRepository {
+        public UserRepository() {}
+
+        public void findByName(String name) throws Exception {
+            Process p = new ProcessBuilder("/usr/bin/true", name)
+                .redirectErrorStream(true)
+                .start();
+            p.waitFor();
+        }
+    }
+}
--- a/tests/dynamic_fixtures/class_method/java/Vuln.java
+++ b/tests/dynamic_fixtures/class_method/java/Vuln.java
@ -0,0 +1,22 @@
+// Phase 19 (Track M.1) — class-method vuln fixture for Java.
+//
+// UserRepository.findByName concatenates user input into a shell command.
+// The nested class has a default constructor so the ClassMethod harness can
+// build the receiver reflectively.
+import java.io.InputStream;
+
+public class Vuln {
+    public static class UserRepository {
+        public UserRepository() {}
+
+        public void findByName(String name) throws Exception {
+            Process p = new ProcessBuilder("sh", "-c", "true " + name)
+                .redirectErrorStream(true)
+                .start();
+            try (InputStream in = p.getInputStream()) {
+                in.transferTo(System.out);
+            }
+            p.waitFor();
+        }
+    }
+}