mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
24 lines
902 B
Java
24 lines
902 B
Java
// File I/O — positive fixture.
|
|
// Vulnerable: reads file at user-controlled path without sanitization.
|
|
// Entry: Entry.readFile(String) Cap: FILE_IO
|
|
// Expected verdict: Confirmed (../../../../etc/passwd → "root:" in output)
|
|
//
|
|
// Base directory is `/tmp` rather than `/var/data` so the harness can resolve
|
|
// the traversal payload on both Linux and macOS hosts (`/var/data` is absent
|
|
// on macOS, which makes `Files.readAllBytes` throw before reaching the file).
|
|
|
|
import java.io.*;
|
|
import java.nio.file.*;
|
|
|
|
public class Entry {
|
|
public static void readFile(String userPath) throws Exception {
|
|
Path filePath = Paths.get("/tmp", userPath);
|
|
System.out.print("__NYX_SINK_HIT__\n");
|
|
try {
|
|
String content = new String(Files.readAllBytes(filePath));
|
|
System.out.print(content);
|
|
} catch (IOException e) {
|
|
// silent
|
|
}
|
|
}
|
|
}
|