package bench.reachability;

import java.util.Map;
import java.util.Base64;
import java.io.*;

public class App {
    // Deserialization sink guarded by feature flag
    public static Response handleRequest(Map<String, String> body, Map<String, String> env) {
        if (!"true".equals(env.getOrDefault("ALLOW_DESER", "false"))) {
            return new Response(403, "forbidden");
        }
        String payload = body.get("payload");
        if (payload == null) {
            return new Response(400, "bad request");
        }
        try {
            byte[] data = Base64.getDecoder().decode(payload);
            ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data));
            Object obj = ois.readObject();
            ois.close();
            return new Response(200, obj.toString());
        } catch (Exception ex) {
            return new Response(500, ex.getClass().getSimpleName());
        }
    }

    public record Response(int status, String body) {}
}