apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Python fp and docs updtes (#58)

Browse source 
* refactor: Update comments for clarity and add expectations.json files for performance metrics

* feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks

* feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks

* refactor: Simplify code formatting for better readability in multiple files

* refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration

* feat: Update Java and Python patterns to include new security rules

* refactor: Improve comment clarity and consistency across multiple Rust files

* refactor: Simplify code formatting for improved readability in integration tests and module files

* refactor: Improve comment formatting and enhance clarity in assertions across multiple files
This commit is contained in:
Eli Peter 2026-04-29 19:53:34 -04:00 committed by GitHub
parent 4db0805de6
commit a438886217
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
291 changed files with 9485 additions and 3851 deletions
Download patch file Download diff file Expand all files Collapse all files

17
tests/fixtures/patterns/java/negative.java vendored
View file

@ -1,5 +1,9 @@
import java.sql.*;
import java.security.SecureRandom;
import org.yaml.snakeyaml.Yaml;
import org.yaml.snakeyaml.LoaderOptions;
import org.yaml.snakeyaml.constructor.SafeConstructor;
import org.apache.commons.text.StringSubstitutor;
class Negative {
// Safe: parameterized query
@ -19,4 +23,17 @@ class Negative {
void safeLiteralQuery(Statement stmt) throws Exception {
stmt.executeQuery("SELECT COUNT(*) FROM users");
}
// Safe: SnakeYAML 2.0 / explicit SafeConstructor CVE-2022-1471 fix shape.
void safeSnakeyamlSafeConstructor(String body) {
LoaderOptions opts = new LoaderOptions();
Yaml yaml = new Yaml(new SafeConstructor(opts));
Object data = yaml.load(body);
}
// Safe: empty StringSubstitutor no interpolator factory CVE-2022-42889 fix shape.
String safeStringSubstitutorPassthrough(String input) {
StringSubstitutor s = new StringSubstitutor();
return s.replace(input);
}
}

14
tests/fixtures/patterns/java/positive.java vendored
View file

@ -1,6 +1,8 @@
import java.io.*;
import java.util.Random;
import java.security.MessageDigest;
import org.yaml.snakeyaml.Yaml;
import org.apache.commons.text.StringSubstitutor;
class Positive {
// java.deser.readobject
@ -45,4 +47,16 @@ class Positive {
void triggerGetWriterPrint(javax.servlet.http.HttpServletResponse resp) throws Exception {
resp.getWriter().println("<html>" + "data" + "</html>");
}
// java.deser.snakeyaml_unsafe_constructor CVE-2022-1471 regression guard.
void triggerSnakeyamlUnsafeConstructor() throws Exception {
Yaml yaml = new Yaml();
Object data = yaml.load("payload");
}
// java.code_exec.text4shell_interpolator CVE-2022-42889 regression guard.
String triggerText4ShellInterpolator(String input) {
StringSubstitutor s = StringSubstitutor.createInterpolator();
return s.replace(input);
}
}