refactor(dynamic): standardize shell commands across fixtures, add __NYX_SINK_HIT__ markers, improve PHP support

2026-06-09 19:45:13 +02:00 · 2026-05-23 10:31:57 -05:00 · 2026-05-23 10:31:57 -05:00 · fe09986a25
commit fe09986a25
parent ca075a7141
32 changed files with 707 additions and 71 deletions
--- a/tests/dynamic_fixtures/class_method/java/Benign.java
+++ b/tests/dynamic_fixtures/class_method/java/Benign.java
@ -1,20 +1,16 @@
 // Phase 19 (Track M.1) — class-method benign control for Java.
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.PreparedStatement;
-import java.sql.SQLException;
-
+//
+// The payload is passed as an argv element to true(1), so no shell parses or
+// echoes marker bytes.
 public class Benign {
    public static class UserRepository {
        public UserRepository() {}

-        public void findByName(String name) throws SQLException {
-            Connection c = DriverManager.getConnection("jdbc:sqlite::memory:");
-            PreparedStatement ps = c.prepareStatement("SELECT id FROM users WHERE name = ?");
-            ps.setString(1, name);
-            ps.execute();
-            ps.close();
-            c.close();
+        public void findByName(String name) throws Exception {
+            Process p = new ProcessBuilder("/usr/bin/true", name)
+                .redirectErrorStream(true)
+                .start();
+            p.waitFor();
        }
    }
 }
--- a/tests/dynamic_fixtures/class_method/java/Vuln.java
+++ b/tests/dynamic_fixtures/class_method/java/Vuln.java
@ -1,25 +1,22 @@
 // Phase 19 (Track M.1) — class-method vuln fixture for Java.
 //
-// UserRepository.findByName concatenates user input into a JDBC SQL
-// statement.  Default constructor exists so the harness can build the
-// receiver without stubbing dependencies.
-import java.sql.Connection;
-import java.sql.DriverManager;
-import java.sql.Statement;
-import java.sql.SQLException;
+// UserRepository.findByName concatenates user input into a shell command.
+// The nested class has a default constructor so the ClassMethod harness can
+// build the receiver reflectively.
+import java.io.InputStream;

 public class Vuln {
    public static class UserRepository {
        public UserRepository() {}

-        public void findByName(String name) throws SQLException {
-            Connection c = DriverManager.getConnection("jdbc:sqlite::memory:");
-            Statement s = c.createStatement();
-            // SINK: tainted concat into SQL
-            String sql = "SELECT id FROM users WHERE name = '" + name + "'";
-            s.execute(sql);
-            s.close();
-            c.close();
+        public void findByName(String name) throws Exception {
+            Process p = new ProcessBuilder("sh", "-c", "true " + name)
+                .redirectErrorStream(true)
+                .start();
+            try (InputStream in = p.getInputStream()) {
+                in.transferTo(System.out);
+            }
+            p.waitFor();
        }
    }
 }