mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
a438886217
* refactor: Update comments for clarity and add expectations.json files for performance metrics * feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks * feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks * refactor: Simplify code formatting for better readability in multiple files * refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration * feat: Update Java and Python patterns to include new security rules * refactor: Improve comment clarity and consistency across multiple Rust files * refactor: Simplify code formatting for improved readability in integration tests and module files * refactor: Improve comment formatting and enhance clarity in assertions across multiple files
60 lines
2.3 KiB
Rust
60 lines
2.3 KiB
Rust
//! Per-return-path decomposition integration tests: the decomposition
|
|
//! survives cross-file summary serialisation and application.
|
|
//!
|
|
//! Three fixtures cover distinct structural shapes of the per-return-path
|
|
//! transform:
|
|
//!
|
|
//! * `cross_file_phi_validated_branch` (Python), a callee whose two
|
|
//! return branches are both `Identity` on the value, differing only in
|
|
//! the predicate gate. The required SQLi finding confirms the
|
|
//! summary-application path does not regress on the common "union is
|
|
//! precise enough" case.
|
|
//! * `cross_file_phi_partial_sanitiser` (JS), the callee has two
|
|
//! returns with *different* transforms (Identity vs
|
|
//! StripBits(HTML_ESCAPE)). The caller invokes the unsanitised branch,
|
|
//! so the XSS sink must still fire, a regression guard against a
|
|
//! per-path application that over-eagerly attributes sanitation across
|
|
//! all branches.
|
|
//! * `cross_file_phi_both_branches_safe` (Go), both return paths run
|
|
//! the same sanitising validator. The SQL sink is on the forbidden
|
|
//! list: if the per-path decomposition regresses to "either branch
|
|
//! could be raw" the caller would pick up a false positive.
|
|
//!
|
|
//! The fixtures are *structural* (they exercise the plumbing: extraction,
|
|
//! serde, resolution, predicate-consistent application). Each assertion
|
|
//! distinguishes "per-path data survives and is applied" from "summary
|
|
//! application silently ignores the new field."
|
|
|
|
mod common;
|
|
|
|
use common::{scan_fixture_dir, validate_expectations};
|
|
use nyx_scanner::utils::config::AnalysisMode;
|
|
use std::path::{Path, PathBuf};
|
|
|
|
fn fixture_path(name: &str) -> PathBuf {
|
|
Path::new(env!("CARGO_MANIFEST_DIR"))
|
|
.join("tests")
|
|
.join("fixtures")
|
|
.join(name)
|
|
}
|
|
|
|
#[test]
|
|
fn cross_file_phi_validated_branch() {
|
|
let dir = fixture_path("cross_file_phi_validated_branch");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn cross_file_phi_partial_sanitiser() {
|
|
let dir = fixture_path("cross_file_phi_partial_sanitiser");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|
|
|
|
#[test]
|
|
fn cross_file_phi_both_branches_safe() {
|
|
let dir = fixture_path("cross_file_phi_both_branches_safe");
|
|
let diags = scan_fixture_dir(&dir, AnalysisMode::Full);
|
|
validate_expectations(&diags, &dir);
|
|
}
|