From 157a1550e01f10d488d5d2cdc6acdb25ae3f82ad Mon Sep 17 00:00:00 2001
From: Nicolas Will <nicolaswill@github.com>
Date: Fri, 27 Feb 2026 17:31:52 +0100
Subject: [PATCH] Fix Micronaut local threat model value flow test

---
 .../taintsources/MicronautConfig.java         | 30 +++++++++++++++++++
 .../dataflow/taintsources/options             |  2 +-
 2 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 java/ql/test/library-tests/dataflow/taintsources/MicronautConfig.java

diff --git a/java/ql/test/library-tests/dataflow/taintsources/MicronautConfig.java b/java/ql/test/library-tests/dataflow/taintsources/MicronautConfig.java
new file mode 100644
index 00000000000..4b2367fec27
--- /dev/null
+++ b/java/ql/test/library-tests/dataflow/taintsources/MicronautConfig.java
@@ -0,0 +1,30 @@
+import io.micronaut.context.annotation.Value;
+import io.micronaut.context.annotation.Property;
+import io.micronaut.http.annotation.*;
+
+@Controller("/config")
+class MicronautConfig {
+
+    private static void sink(Object o) {}
+
+    @Value("${app.secret}")
+    String secretValue;
+
+    @Property(name = "app.api-key")
+    String apiKey;
+
+    @Get("/secret")
+    void testValueField() {
+        sink(secretValue); // $hasLocalValueFlow
+    }
+
+    @Get("/key")
+    void testPropertyField() {
+        sink(apiKey); // $hasLocalValueFlow
+    }
+
+    @Get("/param")
+    void testValueParam(@Value("${app.name}") String appName) {
+        sink(appName); // $hasLocalValueFlow
+    }
+}
diff --git a/java/ql/test/library-tests/dataflow/taintsources/options b/java/ql/test/library-tests/dataflow/taintsources/options
index 1ae3d158cec..04284151d07 100644
--- a/java/ql/test/library-tests/dataflow/taintsources/options
+++ b/java/ql/test/library-tests/dataflow/taintsources/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jakarta.servlet-api-6.0.0:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263
\ No newline at end of file
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/jakarta.servlet-api-6.0.0:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/servlet-api-2.4:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/google-android-9.0.0:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jackson-databind-2.12:${testdir}/../../../stubs/jackson-core-2.12:${testdir}/../../../stubs/akka-2.6.x:${testdir}/../../../stubs/jwtk-jjwt-0.11.2:${testdir}/../../../stubs/jenkins:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/micronaut-4.x
\ No newline at end of file