mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
20 lines
657 B
JavaScript
20 lines
657 B
JavaScript
// File I/O — positive fixture.
|
|
// Vulnerable: reads a file at a user-controlled path without sanitization.
|
|
// Entry: readFile(userPath) Cap: FILE_IO
|
|
// Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
|
|
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
function readFile(userPath) {
|
|
const filePath = path.join('/var/data', userPath);
|
|
process.stdout.write('__NYX_SINK_HIT__\n');
|
|
try {
|
|
const content = fs.readFileSync(filePath, 'utf8');
|
|
process.stdout.write(content);
|
|
} catch (e) {
|
|
// Silent on error — target file may not exist in all envs
|
|
}
|
|
}
|
|
|
|
module.exports = { readFile };
|