Dynamic (#77)

tests/dynamic_fixtures/java/servlet_doget/Benign.java

@@ -0,0 +1,24 @@
+// Phase 14 — servlet doGet, benign.
+//
+// Reads `payload` from the request but never threads it into a
+// shell-interpreted slot; the cmdi marker cannot fire.
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+
+public class Benign {
+    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
+        System.out.print("__NYX_SINK_HIT__\n");
+        // Read + drop the parameter.
+        String unused = req.getParameter("payload");
+        if (unused == null) unused = "";
+        String[] cmd = {"/bin/sh", "-c", "echo hello"};
+        Process p = Runtime.getRuntime().exec(cmd);
+        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        String line;
+        while ((line = reader.readLine()) != null) {
+            resp.write(line + "\n");
+        }
+        p.waitFor();
+    }
+}

tests/dynamic_fixtures/java/servlet_doget/HttpServletRequest.java

@@ -0,0 +1,20 @@
+// Phase 14 fixture stub — minimal servlet request shape.
+// Lives in the default package so the harness shim's
+// `p.getName().endsWith("HttpServletRequest")` filter can match without
+// a Maven dep on `jakarta.servlet-api`.
+
+import java.util.HashMap;
+import java.util.Map;
+
+public class HttpServletRequest {
+    private final Map<String, String> params = new HashMap<>();
+    private String method = "GET";
+    private String body = "";
+
+    public void setParameter(String k, String v) { params.put(k, v); }
+    public String getParameter(String k) { return params.get(k); }
+    public void setMethod(String m) { this.method = m; }
+    public String getMethod() { return method; }
+    public void setBody(String b) { this.body = b; }
+    public String getBody() { return body; }
+}

tests/dynamic_fixtures/java/servlet_doget/HttpServletResponse.java

@@ -0,0 +1,6 @@
+// Phase 14 fixture stub — minimal servlet response shape.
+public class HttpServletResponse {
+    private final StringBuilder body = new StringBuilder();
+    public void write(String s) { body.append(s); }
+    public String getBody() { return body.toString(); }
+}

tests/dynamic_fixtures/java/servlet_doget/Vuln.java

@@ -0,0 +1,24 @@
+// Phase 14 — servlet doGet, vulnerable.
+//
+// Reads the `payload` query parameter from the request stub and feeds
+// it through `/bin/sh -c` — payload `; echo NYX_PWN_CMDI` fires the
+// cmdi oracle marker.
+
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+
+public class Vuln {
+    public void doGet(HttpServletRequest req, HttpServletResponse resp) throws Exception {
+        System.out.print("__NYX_SINK_HIT__\n");
+        String input = req.getParameter("payload");
+        if (input == null) input = "";
+        String[] cmd = {"/bin/sh", "-c", "echo hello " + input};
+        Process p = Runtime.getRuntime().exec(cmd);
+        BufferedReader reader = new BufferedReader(new InputStreamReader(p.getInputStream()));
+        String line;
+        while ((line = reader.readLine()) != null) {
+            resp.write(line + "\n");
+        }
+        p.waitFor();
+    }
+}

tests/dynamic_fixtures/java/servlet_doget/pom.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>nyx</groupId>
+  <artifactId>servlet-doget-fixture</artifactId>
+  <version>0.0.1</version>
+  <properties>
+    <maven.compiler.source>17</maven.compiler.source>
+    <maven.compiler.target>17</maven.compiler.target>
+  </properties>
+  <dependencies>
+    <dependency>
+      <groupId>jakarta.servlet</groupId>
+      <artifactId>jakarta.servlet-api</artifactId>
+      <version>6.0.0</version>
+      <scope>provided</scope>
+    </dependency>
+  </dependencies>
+</project>