refactor(dynamic): add recursive dependency resolution for Java, Go, and Ruby receivers, expand corresponding tests

2026-06-15 20:05:13 +02:00 · 2026-05-24 21:45:54 -05:00 · 2026-05-24 21:45:54 -05:00 · acec041676
commit acec041676
parent 0e8c900078
10 changed files with 366 additions and 10 deletions
--- a/tests/dynamic_fixtures/class_method/go_recursive_deps/benign.go
+++ b/tests/dynamic_fixtures/class_method/go_recursive_deps/benign.go
@ -0,0 +1,32 @@
+// Benign control for recursively populated Go struct dependencies.
+package entry
+
+import "strings"
+
+type ShellRunner struct{}
+
+func (ShellRunner) Run(command string) string {
+	return strings.ReplaceAll(command, "NYX_PWN_CMDI", "")
+}
+
+type UserRepository struct {
+	Runner *ShellRunner
+}
+
+func (r UserRepository) Find(input string) string {
+	if r.Runner == nil {
+		return ""
+	}
+	return r.Runner.Run(input)
+}
+
+type UserService struct {
+	Repository *UserRepository
+}
+
+func (s UserService) Run(input string) string {
+	if s.Repository == nil {
+		return ""
+	}
+	return s.Repository.Find(input)
+}
--- a/tests/dynamic_fixtures/class_method/go_recursive_deps/vuln.go
+++ b/tests/dynamic_fixtures/class_method/go_recursive_deps/vuln.go
@ -0,0 +1,33 @@
+// Class-method fixture with recursively populated Go struct dependencies.
+package entry
+
+import "os/exec"
+
+type ShellRunner struct{}
+
+func (ShellRunner) Run(command string) string {
+	out, _ := exec.Command("sh", "-c", "true "+command).Output()
+	return string(out)
+}
+
+type UserRepository struct {
+	Runner *ShellRunner
+}
+
+func (r UserRepository) Find(input string) string {
+	if r.Runner == nil {
+		return ""
+	}
+	return r.Runner.Run(input)
+}
+
+type UserService struct {
+	Repository *UserRepository
+}
+
+func (s UserService) Run(input string) string {
+	if s.Repository == nil {
+		return ""
+	}
+	return s.Repository.Find(input)
+}
--- a/tests/dynamic_fixtures/class_method/java_recursive_deps/Benign.java
+++ b/tests/dynamic_fixtures/class_method/java_recursive_deps/Benign.java
@ -0,0 +1,32 @@
+// Benign control for recursively constructed Java dependencies.
+public class Benign {
+    public static class ShellRunner {
+        public String run(String command) {
+            return command.replace("NYX_PWN_CMDI", "");
+        }
+    }
+
+    public static class UserRepository {
+        private final ShellRunner shellRunner;
+
+        public UserRepository(ShellRunner shellRunner) {
+            this.shellRunner = shellRunner;
+        }
+
+        public String find(String input) {
+            return shellRunner.run(input);
+        }
+    }
+
+    public static class UserService {
+        private final UserRepository userRepository;
+
+        public UserService(UserRepository userRepository) {
+            this.userRepository = userRepository;
+        }
+
+        public String run(String input) {
+            return userRepository.find(input);
+        }
+    }
+}
--- a/tests/dynamic_fixtures/class_method/java_recursive_deps/Vuln.java
+++ b/tests/dynamic_fixtures/class_method/java_recursive_deps/Vuln.java
@ -0,0 +1,39 @@
+// Class-method fixture with recursively constructed Java dependencies.
+import java.io.InputStream;
+
+public class Vuln {
+    public static class ShellRunner {
+        public String run(String command) throws Exception {
+            Process p = new ProcessBuilder("sh", "-c", "true " + command)
+                .redirectErrorStream(true)
+                .start();
+            try (InputStream in = p.getInputStream()) {
+                return new String(in.readAllBytes());
+            }
+        }
+    }
+
+    public static class UserRepository {
+        private final ShellRunner shellRunner;
+
+        public UserRepository(ShellRunner shellRunner) {
+            this.shellRunner = shellRunner;
+        }
+
+        public String find(String input) throws Exception {
+            return shellRunner.run(input);
+        }
+    }
+
+    public static class UserService {
+        private final UserRepository userRepository;
+
+        public UserService(UserRepository userRepository) {
+            this.userRepository = userRepository;
+        }
+
+        public String run(String input) throws Exception {
+            return userRepository.find(input);
+        }
+    }
+}
--- a/tests/dynamic_fixtures/class_method/ruby_recursive_deps/benign.rb
+++ b/tests/dynamic_fixtures/class_method/ruby_recursive_deps/benign.rb
@ -0,0 +1,26 @@
+# Benign control for recursively constructed Ruby dependencies.
+class ShellRunner
+  def run(command)
+    command.gsub('NYX_PWN_CMDI', '')
+  end
+end
+
+class UserRepository
+  def initialize(shell_runner)
+    @shell_runner = shell_runner
+  end
+
+  def find(input)
+    @shell_runner.run(input)
+  end
+end
+
+class UserService
+  def initialize(user_repository)
+    @user_repository = user_repository
+  end
+
+  def run(input)
+    @user_repository.find(input)
+  end
+end
--- a/tests/dynamic_fixtures/class_method/ruby_recursive_deps/vuln.rb
+++ b/tests/dynamic_fixtures/class_method/ruby_recursive_deps/vuln.rb
@ -0,0 +1,26 @@
+# Class-method fixture with recursively constructed Ruby dependencies.
+class ShellRunner
+  def run(command)
+    `true #{command}`
+  end
+end
+
+class UserRepository
+  def initialize(shell_runner)
+    @shell_runner = shell_runner
+  end
+
+  def find(input)
+    @shell_runner.run(input)
+  end
+end
+
+class UserService
+  def initialize(user_repository)
+    @user_repository = user_repository
+  end
+
+  def run(input)
+    @user_repository.find(input)
+  end
+end