mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
33 lines
1.5 KiB
Java
33 lines
1.5 KiB
Java
// Java JSON_PARSE depth-bomb vuln fixture.
|
|
//
|
|
// Models a config-driven JSON ingest endpoint that picks the parser
|
|
// input based on the request payload tag - `*_DEEP` routes through a
|
|
// deeply-nested array literal (256 levels) that drives the parser past
|
|
// the 64-level depth budget; `*_SHALLOW` routes through a flat `[]`
|
|
// parse that leaves the predicate clear. This shape is needed by the
|
|
// differential runner: the vuln-payload attempt and the benign-control
|
|
// attempt both load the same fixture, and only the payload-routed
|
|
// deep branch trips the `JsonParseExcessiveDepth` predicate.
|
|
//
|
|
// Java has no stdlib JSON parser. The harness ships a hand-rolled
|
|
// iterative `NyxJsonProbe.parse(String)` helper alongside `NyxHarness`
|
|
// so the fixture does not need to link Jackson / Gson at build time.
|
|
// The helper returns a `java.util.List` / `java.util.Map` tree the
|
|
// harness then walks via `NyxJsonProbe.countDepth(Object)` to produce
|
|
// the `ProbeKind::JsonParse { depth }` record.
|
|
public class Vuln {
|
|
public static Object run(String value) {
|
|
String text = value == null ? "" : value;
|
|
if (text.contains("DEEP")) {
|
|
StringBuilder sb = new StringBuilder();
|
|
for (int i = 0; i < 256; i++) {
|
|
sb.append('[');
|
|
}
|
|
for (int i = 0; i < 256; i++) {
|
|
sb.append(']');
|
|
}
|
|
return NyxJsonProbe.parse(sb.toString());
|
|
}
|
|
return NyxJsonProbe.parse("[]");
|
|
}
|
|
}
|