Dynamic (#77)

tests/dynamic_fixtures/deserialize/java/Benign.java

@@ -0,0 +1,39 @@
+// Phase 03 (Track J.1) — Java deserialize benign fixture.
+//
+// Same shape as the vuln fixture but wraps `ObjectInputStream` in a
+// subclass whose `resolveClass` only accepts a tiny allowlist.  A
+// gadget chain never resolves so no Deserialize probe fires.
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+public class Benign {
+    static final Set<String> ALLOWED =
+        new HashSet<>(Arrays.asList("java.lang.Integer", "java.lang.String"));
+
+    static class RestrictedObjectInputStream extends ObjectInputStream {
+        RestrictedObjectInputStream(ByteArrayInputStream s) throws IOException {
+            super(s);
+        }
+        @Override
+        protected Class<?> resolveClass(ObjectStreamClass desc)
+                throws IOException, ClassNotFoundException {
+            if (!ALLOWED.contains(desc.getName())) {
+                throw new InvalidClassException("blocked: " + desc.getName());
+            }
+            return super.resolveClass(desc);
+        }
+    }
+
+    public static Object run(byte[] payload) throws Exception {
+        ByteArrayInputStream bis = new ByteArrayInputStream(payload);
+        try (RestrictedObjectInputStream ois = new RestrictedObjectInputStream(bis)) {
+            return ois.readObject();
+        }
+    }
+}