apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-09 19:45:13 +02:00
Code Issues Projects Releases Packages Wiki Activity
nyx/tests/fixtures/java_service/Service.java
Eli Peter f96a89e7c1
Feat/full cfg (#30) 
* feat: Enhance control flow analysis with function summaries and taint analysis

* feat: Update taint analysis to utilize function summaries for enhanced tracking

* Refactor `walk.rs` batch processing and override handling:

- Renamed `Batcher` to `BatchSender` for clarity.
- Added `BatchSender::new` constructor for cleaner initialization.
- Simplified batch size management in `BatchSender`.
- Extracted `build_overrides` function for reusable override construction.
- Improved error handling and validation in override building.
- Enhanced performance with directory and file type filtering in `walk`.

* Improve logging and streamline directory walk process:

- Added detailed `tracing` logs for debugging batch flushes, override construction, and walk initialization/completion.
- Optimized and simplified `filter_entry` logic for directory and file type filters.
- Improved metadata checks and max file size enforcement during the scan.

* Refactor and optimize taint tracking, label rules, and directory walk process:

- Replaced `DefaultHasher` with `blake3::Hasher` for improved taint hashing.
- Enhanced sorting and hashing logic in `taint.rs` for consistency and efficiency.
- Removed unused `set_hash` function and redundant imports across files.
- Improved batch sender logic in `walk.rs`, renaming key components for clarity.
- Unified `spawn_senders` and `spawn_file_walker` with thread handling and channel tuple return.
- Expanded label rules with additional matchers for sources, sanitizers, and sinks.
- Deprecated `dump_cfg` and specific logging utilities in `cfg.rs` for code cleanup.

* fix: fixed let chains error in walk.rs

* fix: updated dependencies

* fix: updated dependencies

* chore: Remove standard error in scan.rs

* feat: Introduce function summaries for enhanced taint and control flow analysis

* feat: Enhance taint analysis with interop support and function summaries

* feat: Add configuration analysis module and enhance matcher rules

* feat: Add arity column to function_summaries and handle schema migration

* fix: fixed clippy &PathBuf warnings

* chore: Update dependencies and versioning in Cargo files

* docs: Update README to enhance clarity and detail on features and analysis modes

* chore: Update CHANGELOG for version 0.2.0 with new features, changes, and fixes

* docs: Update SECURITY.md to clarify version support status

---------

Co-authored-by: elipeter <eli.peter@es.fcm.travel>
2026-02-24 23:44:07 -05:00

127 lines
4.2 KiB
Java
Raw Blame History

import java.io.*;
import java.sql.*;
import java.util.Random;
/**
* Simulates a Java backend service handling HTTP requests.
* Contains realistic vulnerability patterns found in enterprise Java code.
*/
public class Service {
private Connection dbConn;
public Service(Connection dbConn) {
this.dbConn = dbConn;
}
// ───── Command execution from environment ─────
/**
* POST /admin/maintenance
* Runs a maintenance command from environment config.
* VULN: System.getenv flows into Runtime.exec (command injection)
*/
public String handleMaintenance() throws IOException {
String cmd = System.getenv("MAINTENANCE_CMD");
Process proc = Runtime.getRuntime().exec(cmd);
BufferedReader reader = new BufferedReader(
new InputStreamReader(proc.getInputStream())
);
StringBuilder output = new StringBuilder();
String line;
while ((line = reader.readLine()) != null) {
output.append(line).append("\n");
}
return output.toString();
}
/**
* POST /admin/deploy
* Constructs a deploy command from multiple env vars.
* VULN: System.getenv flows into Runtime.exec
*/
public void handleDeploy() throws IOException {
String target = System.getenv("DEPLOY_HOST");
String artifact = System.getenv("ARTIFACT_PATH");
String command = "scp " + artifact + " " + target + ":/opt/app/";
Runtime.getRuntime().exec(command);
}
// ───── SQL injection via string concatenation ─────
/**
* GET /api/users/search
* Searches users with a query parameter concatenated into SQL.
* VULN: System.getenv flows into executeQuery (SQL injection)
*/
public ResultSet searchUsers(String searchTerm) throws SQLException {
String table = System.getenv("USERS_TABLE");
String sql = "SELECT * FROM " + table + " WHERE name LIKE '%" + searchTerm + "%'";
Statement stmt = dbConn.createStatement();
return stmt.executeQuery(sql);
}
/**
* POST /api/audit/log
* Writes an audit log entry using concatenated SQL.
* VULN: String concatenation in executeUpdate (SQL injection)
*/
public void logAuditEvent(String event, String userId) throws SQLException {
String sql = "INSERT INTO audit_log (event, user_id, ts) VALUES ('"
+ event + "', '" + userId + "', NOW())";
Statement stmt = dbConn.createStatement();
stmt.executeUpdate(sql);
}
// ───── Deserialization ─────
/**
* POST /api/session/restore
* Deserializes a session object from a byte stream.
* VULN: ObjectInputStream.readObject on untrusted data
*/
public Object restoreSession(InputStream sessionData) throws Exception {
ObjectInputStream ois = new ObjectInputStream(sessionData);
Object session = ois.readObject();
ois.close();
return session;
}
// ───── Reflection ─────
/**
* POST /api/plugins/load
* Dynamically loads a class by name from environment config.
* VULN: System.getenv flows into Class.forName (unsafe reflection)
*/
public Object loadPlugin() throws Exception {
String className = System.getenv("PLUGIN_CLASS");
Class<?> pluginClass = Class.forName(className);
return pluginClass.getDeclaredConstructor().newInstance();
}
// ───── Weak randomness ─────
/**
* Generates a session token using java.util.Random.
* VULN: insecure random — should use SecureRandom for tokens
*/
public String generateSessionToken() {
Random rng = new Random();
long tokenValue = rng.nextLong();
return Long.toHexString(tokenValue);
}
// ───── Safe patterns ─────
/**
* SAFE: uses PreparedStatement (parameterized query).
*/
public ResultSet safeSearch(String term) throws SQLException {
PreparedStatement pstmt = dbConn.prepareStatement(
"SELECT * FROM users WHERE name LIKE ?"
);
pstmt.setString(1, "%" + term + "%");
return pstmt.executeQuery();
}
}
Reference in a new issue View git blame Copy permalink