Source: {@code javax.servlet.http.HttpServletRequest#getParameter} — modeled by the + * base/Enterprise {@code javasecurity} config. + * + *
Sinks: Hutool ({@code cn.hutool.*}) APIs. These method signatures live in + * {@code javasecurity-advanced/sinks/*.json} (autogenerated library config) and are ABSENT + * from the base {@code javasecurity} config. Result: the base/Enterprise config raises nothing + * here; only the advanced config reports these vulnerabilities. + */ +public class AdvancedConfigServlet extends HttpServlet { + + /** + * S2076 - OS command injection. + * Sink: {@code cn.hutool.core.util.RuntimeUtil#exec([Ljava/lang/String;)Ljava/lang/Process;} + */ + @Override + protected void doGet(HttpServletRequest request, HttpServletResponse response) + throws ServletException, IOException { + String cmd = request.getParameter("cmd"); + RuntimeUtil.exec(cmd); // advanced-only sink + } + + /** + * S2083 - path traversal (read). + * Sink: {@code cn.hutool.core.io.FileUtil#readUtf8String(Ljava/lang/String;)Ljava/lang/String;} + */ + protected void readFile(HttpServletRequest request, HttpServletResponse response) + throws IOException { + String path = request.getParameter("path"); + String content = FileUtil.readUtf8String(path); // advanced-only sink + response.getWriter().write(content); + } + + /** + * S2083 - path traversal (delete). + * Sink: {@code cn.hutool.core.io.FileUtil#del(Ljava/lang/String;)Z} + */ + protected void deleteFile(HttpServletRequest request) { + String victim = request.getParameter("file"); + FileUtil.del(victim); // advanced-only sink + } +}