stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Details
Findings Ledger CI / build-test (push) Has been cancelled
Details
Findings Ledger CI / migration-validation (push) Has been cancelled
Details
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Details
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Details
AOC Guard CI / aoc-guard (push) Has been cancelled
Details
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Details
cryptopro-linux-csp / build-and-test (push) Has been cancelled
Details
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Details
Signals CI & Image / signals-ci (push) Has been cancelled
Details
sm-remote-ci / build-and-test (push) Has been cancelled
Details
Findings Ledger CI / generate-manifest (push) Has been cancelled
Details
AOC Guard CI / aoc-verify (push) Has been cancelled
Details
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Details
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Details
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Details

Browse Source
This commit is contained in:
StellaOps Bot
2025-12-09 09:38:09 +02:00
parent bc0762e97d
commit 108d1c64b3
193 changed files with 7265 additions and 13029 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
bench/reachability-benchmark/cases/java/micronaut-guarded/case.yaml Normal file
View File

@@ -0,0 +1,48 @@
id: "java-micronaut-guarded:204"
language: java
project: micronaut-guarded
version: "1.0.0"
description: "Micronaut-style controller guards deserialization behind ALLOW_MN_DESER flag (unreachable by default)"
entrypoints:
- "POST /mn/upload"
sinks:
- id: "MicronautDeserializeGuarded::handleUpload"
path: "bench.reachability.micronautguard.Controller.handleUpload"
kind: "custom"
location:
file: src/Controller.java
line: 11
notes: "ObjectInputStream gated by ALLOW_MN_DESER"
environment:
os_image: "eclipse-temurin:21-jdk"
runtime:
java: "21"
source_date_epoch: 1730000000
resource_limits:
cpu: "2"
memory: "4Gi"
build:
command: "./build/build.sh"
source_date_epoch: 1730000000
outputs:
artifact_path: outputs/binary.tar.gz
sbom_path: outputs/sbom.cdx.json
coverage_path: outputs/coverage.json
traces_dir: outputs/traces
attestation_path: outputs/attestation.json
test:
command: "./build/build.sh"
expected_coverage: []
expected_traces: []
env:
JAVA_TOOL_OPTIONS: "-ea"
ground_truth:
summary: "Guard blocks deserialization unless ALLOW_MN_DESER=true"
evidence_files:
- "../benchmark/truth/java-micronaut-guarded.json"
sandbox:
network: loopback
privileges: rootless
redaction:
pii: false
policy: "benchmark-default/v1"

8
bench/reachability-benchmark/cases/java/micronaut-guarded/entrypoints.yaml Normal file
View File

@@ -0,0 +1,8 @@
case_id: "java-micronaut-guarded:204"
entries:
http:
- id: "POST /mn/upload"
route: "/mn/upload"
method: "POST"
handler: "Controller.handleUpload"
description: "Deserialization guarded by ALLOW_MN_DESER flag"

12
bench/reachability-benchmark/cases/java/micronaut-guarded/pom.xml Normal file
View File

@@ -0,0 +1,12 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.stellaops.bench</groupId>
<artifactId>micronaut-guarded</artifactId>
<version>1.0.0</version>
<packaging>jar</packaging>
<properties>
<maven.compiler.source>17</maven.compiler.source>
<maven.compiler.target>17</maven.compiler.target>
</properties>
</project>

27
bench/reachability-benchmark/cases/java/micronaut-guarded/src/Controller.java Normal file
View File

@@ -0,0 +1,27 @@
package bench.reachability.micronautguard;
import java.util.Map;
import java.util.Base64;
import java.io.*;
public class Controller {
// Deserialization behind feature flag; unreachable unless ALLOW_MN_DESER=true
public static Response handleUpload(Map<String, String> body, Map<String, String> env) {
if (!"true".equals(env.getOrDefault("ALLOW_MN_DESER", "false"))) {
return new Response(403, "forbidden");
}
String payload = body.get("payload");
if (payload == null) {
return new Response(400, "bad request");
}
try (ObjectInputStream ois = new ObjectInputStream(
new ByteArrayInputStream(Base64.getDecoder().decode(payload)))) {
Object obj = ois.readObject();
return new Response(200, obj.toString());
} catch (Exception ex) {
return new Response(500, ex.getClass().getSimpleName());
}
}
public record Response(int status, String body) {}
}

29
bench/reachability-benchmark/cases/java/micronaut-guarded/src/ControllerTest.java Normal file
View File

@@ -0,0 +1,29 @@
package bench.reachability.micronautguard;
import java.io.*;
import java.util.*;
import java.util.Base64;
public class ControllerTest {
private static String serialize(Object obj) throws IOException {
ByteArrayOutputStream bos = new ByteArrayOutputStream();
try (ObjectOutputStream oos = new ObjectOutputStream(bos)) {
oos.writeObject(obj);
}
return Base64.getEncoder().encodeToString(bos.toByteArray());
}
public static void main(String[] args) throws Exception {
Map<String, String> body = Map.of("payload", serialize("blocked"));
Map<String, String> env = Map.of("ALLOW_MN_DESER", "false");
var res = Controller.handleUpload(body, env);
assert res.status() == 403 : "status";
assert res.body().equals("forbidden") : "body";
File outDir = new File("outputs");
outDir.mkdirs();
try (FileWriter fw = new FileWriter(new File(outDir, "SINK_BLOCKED"))) {
fw.write("true");
}
}
}