Python fp and docs updtes (#58)

* refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files
2026-06-21 20:18:06 +02:00 · 2026-04-29 19:53:34 -04:00 · 2026-04-29 19:53:34 -04:00 · a438886217
commit a438886217
parent 4db0805de6
291 changed files with 9485 additions and 3851 deletions
--- a/tests/benchmark/cve_corpus/java/CVE-2022-1471/patched.java
+++ b/tests/benchmark/cve_corpus/java/CVE-2022-1471/patched.java
@ -0,0 +1,37 @@
+// Nyx CVE benchmark fixture (patched counterpart).
+//
+// CVE:      CVE-2022-1471
+// Project:  SnakeYAML (snakeyaml/snakeyaml)
+// License:  Apache-2.0
+//           (https://github.com/snakeyaml/snakeyaml/blob/master/LICENSE.txt)
+// Advisory: https://github.com/advisories/GHSA-mjmj-j48q-9wg2
+//
+// Patched variant: the parser is constructed with `SafeConstructor`,
+// which restricts the YAML tag handler set to primitives + standard
+// collections. SnakeYAML 2.0 ships with `SafeConstructor` as the
+// default; pre-2.0 consumers patched their own call sites to pass
+// `SafeConstructor` explicitly (the form below).
+//
+// Patched-fix simplification: the upstream remediation also covers
+// callers that need richer types via custom `Constructor` subclasses
+// with declared safe types — those are out of scope for this fixture.
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.Yaml;
+import org.yaml.snakeyaml.constructor.SafeConstructor;
+
+public class YamlConfigServlet extends HttpServlet {
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Exception {
+        String body = req.getReader().readLine();
+        // Patched: SafeConstructor forbids arbitrary class tags;
+        // any non-primitive `!!…` payload throws ConstructorException.
+        Yaml yaml = new Yaml(new SafeConstructor(new LoaderOptions()));
+        Object loaded = yaml.load(body);
+        res.setHeader("X-Yaml-Class", loaded.getClass().getName());
+        res.setStatus(HttpServletResponse.SC_OK);
+    }
+}
--- a/tests/benchmark/cve_corpus/java/CVE-2022-1471/vulnerable.java
+++ b/tests/benchmark/cve_corpus/java/CVE-2022-1471/vulnerable.java
@ -0,0 +1,43 @@
+// Nyx CVE benchmark fixture.
+//
+// CVE:        CVE-2022-1471
+// Project:    SnakeYAML (snakeyaml/snakeyaml; consumed via any app
+//             that constructs `new Yaml()` and calls `.load()` on
+//             attacker-controlled bytes)
+// License:    Apache-2.0
+//             (https://github.com/snakeyaml/snakeyaml/blob/master/LICENSE.txt)
+// Advisory:   https://github.com/advisories/GHSA-mjmj-j48q-9wg2
+//             https://nvd.nist.gov/vuln/detail/CVE-2022-1471
+// Vulnerable: SnakeYAML <= 1.33; the default `Constructor` accepts
+//             arbitrary tags (`!!javax.script.ScriptEngineManager`,
+//             `!!java.net.URLClassLoader`, etc.) and instantiates any
+//             class via reflection, reaching RCE on consumers that
+//             feed network input straight into Yaml.load().
+//
+// Verbatim load-bearing lines: the unsafe `new Yaml()` construction
+// and the `yaml.load(body)` call mirror the call-site shape called
+// out in the advisory's "vulnerable code" example. The patched fix
+// (next file) shows the SnakeYAML 2.0 fix pattern of explicitly
+// passing `new SafeConstructor(new LoaderOptions())`.
+//
+// Trims: imports trimmed to just SnakeYAML and Servlet API; no
+// helper / logging code.
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.yaml.snakeyaml.Yaml;
+
+public class YamlConfigServlet extends HttpServlet {
+    @Override
+    protected void doPost(HttpServletRequest req, HttpServletResponse res) throws Exception {
+        String body = req.getReader().readLine();
+        // Vulnerable: default Constructor allows arbitrary class
+        // instantiation via YAML tag handlers — `body` may contain
+        // `!!javax.script.ScriptEngineManager` and friends.
+        Yaml yaml = new Yaml();
+        Object loaded = yaml.load(body);
+        res.setHeader("X-Yaml-Class", loaded.getClass().getName());
+        res.setStatus(HttpServletResponse.SC_OK);
+    }
+}
--- a/tests/benchmark/cve_corpus/java/CVE-2022-42889/patched.java
+++ b/tests/benchmark/cve_corpus/java/CVE-2022-42889/patched.java
@ -0,0 +1,33 @@
+// Nyx CVE benchmark fixture (patched counterpart).
+//
+// CVE:      CVE-2022-42889 ("Text4Shell")
+// Project:  Apache Commons Text (apache/commons-text)
+// License:  Apache-2.0
+//           (https://github.com/apache/commons-text/blob/master/LICENSE.txt)
+// Advisory: https://github.com/advisories/GHSA-599f-7c49-w659
+//
+// Patched variant: the substitutor is built with `new StringSubstitutor()`
+// (no factory) so the lookup map is empty — `${anything}` becomes a
+// literal pass-through. This is the recommended app-side mitigation
+// for callers that cannot upgrade past 1.9, and it is also the
+// behaviour of the 1.10.0 default `createDefault()` factory which
+// drops the `script:` / `dns:` / `url:` interpolation lookups.
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.text.StringSubstitutor;
+
+public class TemplateRenderServlet extends HttpServlet {
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Exception {
+        String input = req.getParameter("template");
+        // Patched: no interpolator constructed; the substitutor has
+        // no lookups registered, so `${…}` is left as a literal in
+        // the rendered output. No script/dns/url evaluation.
+        StringSubstitutor substitutor = new StringSubstitutor();
+        String rendered = substitutor.replace(input);
+        res.setHeader("X-Rendered-Length", String.valueOf(rendered.length()));
+        res.setStatus(HttpServletResponse.SC_OK);
+    }
+}
--- a/tests/benchmark/cve_corpus/java/CVE-2022-42889/vulnerable.java
+++ b/tests/benchmark/cve_corpus/java/CVE-2022-42889/vulnerable.java
@ -0,0 +1,45 @@
+// Nyx CVE benchmark fixture.
+//
+// CVE:        CVE-2022-42889 (a.k.a. "Text4Shell")
+// Project:    Apache Commons Text (apache/commons-text); consumed via
+//             any app that calls `StringSubstitutor.createInterpolator()`
+//             on attacker-controlled input.
+// License:    Apache-2.0
+//             (https://github.com/apache/commons-text/blob/master/LICENSE.txt)
+// Advisory:   https://github.com/advisories/GHSA-599f-7c49-w659
+//             https://nvd.nist.gov/vuln/detail/CVE-2022-42889
+// Vulnerable: commons-text 1.5 .. 1.9. `createInterpolator()`
+//             enables the `script:`, `dns:`, and `url:` lookups by
+//             default, so a substitution like `${script:javascript:…}`
+//             evaluates JavaScript via the JSR-223 ScriptEngineManager
+//             — full RCE on any consumer that feeds untrusted input
+//             through `.replace()`.
+//
+// Verbatim load-bearing lines: the `StringSubstitutor.createInterpolator()`
+// factory call and the `interpolator.replace(input)` sink mirror the
+// minimal triggering pattern published in the OSS-Security advisory
+// (https://www.openwall.com/lists/oss-security/2022/10/13/4) and the
+// vendor mitigation guidance for 1.10.0.
+//
+// Trims: imports limited to commons-text + servlet; no surrounding
+// templating boilerplate.
+
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import org.apache.commons.text.StringSubstitutor;
+
+public class TemplateRenderServlet extends HttpServlet {
+    @Override
+    protected void doGet(HttpServletRequest req, HttpServletResponse res) throws Exception {
+        String input = req.getParameter("template");
+        // Vulnerable: createInterpolator() enables script:/dns:/url:
+        // lookups by default; .replace() evaluates them against
+        // `input` — `${script:js:…}` → arbitrary JavaScript via the
+        // JDK ScriptEngineManager.
+        StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
+        String rendered = interpolator.replace(input);
+        res.setHeader("X-Rendered-Length", String.valueOf(rendered.length()));
+        res.setStatus(HttpServletResponse.SC_OK);
+    }
+}