apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-21 20:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/tests/fixtures/auth_analysis/helper_no_auth_lift.rs
Eli Peter a438886217
Python fp and docs updtes (#58) 
* refactor: Update comments for clarity and add expectations.json files for performance metrics

* feat: Implement FP guard for JS/TS local-collection receivers to suppress missing ownership checks

* feat: Enhance Rust parameter handling to classify local collections and prevent false ownership checks

* refactor: Simplify code formatting for better readability in multiple files

* refactor: Improve UTF-8 sequence length handling and enhance clarity in loop iteration

* feat: Update Java and Python patterns to include new security rules

* refactor: Improve comment clarity and consistency across multiple Rust files

* refactor: Simplify code formatting for improved readability in integration tests and module files

* refactor: Improve comment formatting and enhance clarity in assertions across multiple files
2026-04-29 19:53:34 -04:00

43 lines
1.1 KiB
Rust
Raw Blame History

// B4 regression guard: `format_target` does NOT auth-check
// `group_id`, it just constructs a string from it. The helper-lift
// pass must not synthesise a covering AuthCheck on the handler's call
// site, so the subsequent `db.exec("INSERT INTO comments …", &[group_id])`
// MUST still flag.
struct Ctx;
struct Req;
struct User {
id: i64,
}
struct Db;
impl Db {
fn insert(&self, _s: &str, _a: &[i64]) {}
}
mod auth {
pub async fn require_auth(_r: &super::Req, _c: &super::Ctx) -> Result<super::User, ()> {
Ok(super::User { id: 1 })
}
}
fn format_target(group_id: i64, suffix: &str) -> String {
// No auth check here, pure formatting.
format!("group:{}{}", group_id, suffix)
}
pub async fn handle_post_comment(
req: Req,
ctx: Ctx,
group_id: i64,
body: String,
) -> Result<String, ()> {
let _user = auth::require_auth(&req, &ctx).await?;
let db = Db;
// No auth check on `group_id` anywhere in this file.
let _label = format_target(group_id, "/x");
let _ = body;
db.insert(
"INSERT INTO comments (group_id, body) VALUES (?1, ?2)",
&[group_id],
);
Ok("ok".into())
}
Reference in a new issue View git blame Copy permalink