Precision pass on auth and resource analysis (#63)

tests/benchmark/corpus/java/safe/safe_statement_execute_pattern_validated.java

@@ -0,0 +1,45 @@
+// Regression guard for GHSA-h8cj-hpmg-636v patched-form recognition:
+// the Java `Pattern.matcher(value).matches()` chain is recognised as a
+// regex allowlist validator (in `src/taint/path_state.rs`), AND the
+// short-circuit cond chain (`x == null || x.isBlank() || !p.matcher(x).matches()`)
+// preserves the validation through the implicit-return path so the
+// helper-summary `validated_params_to_return` lift suppresses the
+// downstream `Statement.execute(query)` SQL_QUERY sink.
+//
+// Pins that the patched form does NOT fire `taint-unsanitised-flow`.
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.regex.Pattern;
+import javax.servlet.http.HttpServletRequest;
+
+class FilterServicePatched {
+    private static final Pattern FILTER_TEMP_TABLE_NAME_PATTERN = Pattern.compile("^tbl_[A-Z]{16}$");
+    private Connection connection;
+
+    public void drop(HttpServletRequest req) {
+        String tableName = req.getParameter("tableName");
+        dropTable(tableName);
+    }
+
+    public void dropTable(String tableName) {
+        validateFilterTempTableName(tableName);
+        String dropTableQuery = "DROP TABLE " + tableName + ";";
+        executeDbQuery(dropTableQuery);
+    }
+
+    private static void validateFilterTempTableName(String tableName) {
+        if (tableName == null || tableName.isBlank()
+                || !FILTER_TEMP_TABLE_NAME_PATTERN.matcher(tableName).matches()) {
+            throw new IllegalArgumentException("Invalid filter temporary table name");
+        }
+    }
+
+    private void executeDbQuery(String query) {
+        try (Statement statement = connection.createStatement()) {
+            statement.execute(query);
+        } catch (SQLException e) {
+            throw new RuntimeException(e.getMessage());
+        }
+    }
+}

tests/benchmark/corpus/java/sqli/sqli_statement_execute_chained.java

@@ -0,0 +1,41 @@
+// Regression guard for GHSA-h8cj-hpmg-636v engine fixes:
+//   1. createStatement → DatabaseConnection in Java constructor_type
+//      (`src/ssa/type_facts.rs`).
+//   2. DatabaseConnection.execute as SQL_QUERY sink in Java labels
+//      (`src/labels/java.rs`).
+//   3. Helper-summary type-facts threading through extract_ssa_func_summary
+//      (`src/taint/ssa_transfer/summary_extract.rs`).
+//   4. push_condition_node populating taint.uses so short-circuit cond
+//      branches intern their condition variables for branch narrowing
+//      (`src/cfg/conditions.rs`).
+//
+// Pins that an Appsmith-style SQLi via `Statement.execute(query)` through
+// a cross-function helper detects.  Same flow shape as the real CVE
+// fixture but reduced to one file with no patched/safe sibling — the
+// safe counterpart lives at safe_statement_execute_pattern_validated.java.
+import java.sql.Connection;
+import java.sql.SQLException;
+import java.sql.Statement;
+import javax.servlet.http.HttpServletRequest;
+
+class FilterServiceVulnerable {
+    private Connection connection;
+
+    public void drop(HttpServletRequest req) {
+        String tableName = req.getParameter("tableName");
+        dropTable(tableName);
+    }
+
+    public void dropTable(String tableName) {
+        String dropTableQuery = "DROP TABLE " + tableName + ";";
+        executeDbQuery(dropTableQuery);
+    }
+
+    private void executeDbQuery(String query) {
+        try (Statement statement = connection.createStatement()) {
+            statement.execute(query);
+        } catch (SQLException e) {
+            throw new RuntimeException(e.getMessage());
+        }
+    }
+}