{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "POST /api/webhook (or /api/application/webhook) with a webhook URL payload intended to reach an internal/private host; the variant search also considered /api/alarmRule/includeWebhooks.",
  "service_started": false,
  "healthcheck_passed": true,
  "target_path_reached": false,
  "runtime_stack": [
    "pinpoint v3.1.0 vulnerable source (parent reproduction)",
    "pinpoint master f683a24b4f fixed source",
    "standalone Java harness (WebhookUrlValidator + WebhookDnsResolver)",
    "Apache HttpClient 5 (source dependency only)"
  ],
  "proof_artifacts": [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/compile.log",
    "logs/vuln_variant/harness.log",
    "vuln_variant/artifacts/source_identity.txt",
    "vuln_variant/artifacts/src/webhook/support/WebhookUrlValidator.java",
    "vuln_variant/artifacts/src/batch/alarm/sender/WebhookDnsResolver.java",
    "vuln_variant/artifacts/src/test/VariantBypassHarness.java"
  ],
  "notes": "No runtime service was started for the fixed version because no patched Docker image exists. The fixed code was exercised by extracting the patched WebhookUrlValidator and WebhookDnsResolver classes and compiling them into a standalone Java harness. The harness compared the vulnerable new-URL().toURI() behavior against the patched registration and send-time validators. All 27 private-target bypass candidates were blocked."
}
