Dynamic (#77)

tests/dynamic_fixtures/java/fileio_positive.java

@@ -0,0 +1,29 @@
+// File I/O — positive fixture.
+// Vulnerable: reads file at user-controlled path without sanitization.
+// Entry: Entry.readFile(String)  Cap: FILE_IO
+// Expected verdict: Confirmed.
+//
+// The harness plants a canary file (`nyx_pt_canary`, whose CONTENT is the
+// collision-resistant marker) at the workdir root and an empty `testfiles/`
+// directory beside it. Reading `testfiles/ + userPath` without normalising is
+// the traversal sink: the vuln payload `../nyx_pt_canary` escapes `testfiles/`
+// back to the planted canary, so its marker content reaches stdout.
+
+import java.io.*;
+import java.nio.file.*;
+
+public class Entry {
+    public static void readFile(String userPath) throws Exception {
+        // Base directory the harness plants the canary one level above.
+        Path testfileDir = Paths.get(System.getProperty("user.dir"), "testfiles");
+        // Vulnerable: no normalisation / containment check on `userPath`.
+        Path filePath = testfileDir.resolve(userPath);
+        System.out.print("__NYX_SINK_HIT__\n");
+        try {
+            String content = new String(Files.readAllBytes(filePath));
+            System.out.print(content);
+        } catch (IOException e) {
+            // silent
+        }
+    }
+}