-
Notifications
You must be signed in to change notification settings - Fork 0
Create vul.py #1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,77 @@ | ||||||||||||||||
| """ | ||||||||||||||||
| vuln_examples.py | ||||||||||||||||
| Intentionally vulnerable Python code for security testing | ||||||||||||||||
| """ | ||||||||||||||||
|
|
||||||||||||||||
| import os | ||||||||||||||||
| import sqlite3 | ||||||||||||||||
| import pickle | ||||||||||||||||
| import requests | ||||||||||||||||
| import hashlib | ||||||||||||||||
| from flask import Flask, request | ||||||||||||||||
|
|
||||||||||||||||
| app = Flask(__name__) | ||||||||||||||||
|
|
||||||||||||||||
| # 1️⃣ HARDCODED SECRET | ||||||||||||||||
| API_KEY = "sk_test_1234567890abcdef" | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 2️⃣ COMMAND INJECTION | ||||||||||||||||
| def list_files(user_path): | ||||||||||||||||
| os.system("ls " + user_path) | ||||||||||||||||
|
Comment on lines
+19
to
+21
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: cat vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 1527 Correct filename and replace The file is 🔧 Proposed fix def list_files(user_path):
- os.system("ls " + user_path)
+ return os.listdir(user_path)📝 Committable suggestion
Suggested change
🧰 Tools🪛 Ruff (0.14.14)[error] 21-21: Starting a process with a shell, possible injection detected (S605) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 3️⃣ SQL INJECTION | ||||||||||||||||
| def get_user(username): | ||||||||||||||||
| conn = sqlite3.connect("users.db") | ||||||||||||||||
| cursor = conn.cursor() | ||||||||||||||||
| query = f"SELECT * FROM users WHERE username = '{username}'" | ||||||||||||||||
| cursor.execute(query) | ||||||||||||||||
| return cursor.fetchall() | ||||||||||||||||
|
Comment on lines
+24
to
+30
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # Find and read the vul.py file
find . -name "vul.py" -type f | head -5Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 95 🏁 Script executed: # Check if vul.py exists and read lines 24-30
if [ -f "./vul.py" ]; then
echo "=== File found. Reading lines 24-30 ==="
sed -n '24,30p' ./vul.py
echo ""
echo "=== Full file for context ==="
wc -l ./vul.py
fiRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 399 🏁 Script executed: # If not in root, search recursively
rg -l "def get_user" --type pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 93 Parameterize the SQL query and close the connection using a context manager. The function is vulnerable to SQL injection—the f-string directly interpolates the username parameter into the query without escaping. Additionally, the database connection is never closed, causing a resource leak. Use bound parameters and wrap the connection in a context manager to fix both issues. 🔧 Proposed fix def get_user(username):
- conn = sqlite3.connect("users.db")
- cursor = conn.cursor()
- query = f"SELECT * FROM users WHERE username = '{username}'"
- cursor.execute(query)
- return cursor.fetchall()
+ with sqlite3.connect("users.db") as conn:
+ cursor = conn.cursor()
+ cursor.execute("SELECT * FROM users WHERE username = ?", (username,))
+ return cursor.fetchall()🧰 Tools🪛 Ruff (0.14.14)[error] 28-28: Possible SQL injection vector through string-based query construction (S608) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 7️⃣ UNSAFE EVAL | ||||||||||||||||
| def calculate(expression): | ||||||||||||||||
| return eval(expression) | ||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 8️⃣ WEAK PASSWORD HASHING | ||||||||||||||||
| def hash_password(password): | ||||||||||||||||
| return hashlib.md5(password.encode()).hexdigest() | ||||||||||||||||
|
|
||||||||||||||||
| # 4️⃣ INSECURE DESERIALIZATION (RCE) | ||||||||||||||||
| def load_session(data): | ||||||||||||||||
| return pickle.loads(data) | ||||||||||||||||
|
Comment on lines
+44
to
+45
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: find . -name "vul.py" -type fRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 95 🏁 Script executed: cat -n vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 2066 Block unsafe deserialization in 🔧 Suggested fix (JSON)-import pickle
+import json
@@
-def load_session(data):
- return pickle.loads(data)
+def load_session(data):
+ return json.loads(data)🧰 Tools🪛 Ruff (0.14.14)[error] 45-45: (S301) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 5️⃣ PATH TRAVERSAL | ||||||||||||||||
| def read_file(filename): | ||||||||||||||||
| with open("uploads/" + filename, "r") as f: | ||||||||||||||||
| return f.read() | ||||||||||||||||
|
Comment on lines
+38
to
+41
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: find . -type f -name "vul.py" | head -20Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 95 🏁 Script executed: cat -n vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 2066 Correct the line numbers and prevent path traversal by resolving against a fixed base directory. The code is at lines 48-51 (not 38-41). Concatenating 🔧 Proposed fix+from pathlib import Path
+
+# Base directory for uploads
+UPLOADS_DIR = Path("uploads").resolve()
+
# 5️⃣ PATH TRAVERSAL
def read_file(filename):
- with open("uploads/" + filename, "r") as f:
- return f.read()
+ path = (UPLOADS_DIR / filename).resolve()
+ if UPLOADS_DIR not in path.parents and path != UPLOADS_DIR:
+ raise ValueError("Invalid filename")
+ return path.read_text()🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 6️⃣ SSRF | ||||||||||||||||
| def fetch_url(url): | ||||||||||||||||
| return requests.get(url).text | ||||||||||||||||
|
Comment on lines
+44
to
+46
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: cat -n vul.py | head -50Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 1402 🏁 Script executed: rg "fetch_url" vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 106 🏁 Script executed: wc -l vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 96 🏁 Script executed: cat -n vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 2066 Add SSRF protections and timeouts for outbound HTTP (lines 55–56). Accepting arbitrary URLs can hit internal services and the call can hang without a timeout. Restrict hosts/schemes (and block private IPs) and set a timeout. 🔧 Proposed fix+from urllib.parse import urlparse
@@
+# Example allowlist — tighten for your environment
+ALLOWED_HOSTS = {"example.com"}
@@
def fetch_url(url):
- return requests.get(url).text
+ parsed = urlparse(url)
+ if parsed.scheme not in {"http", "https"}:
+ raise ValueError("Invalid URL scheme")
+ if parsed.hostname not in ALLOWED_HOSTS:
+ raise ValueError("Host not allowed")
+ return requests.get(url, timeout=5, allow_redirects=False).text🧰 Tools🪛 Ruff (0.14.14)[error] 46-46: Probable use of (S113) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 9️⃣ FLASK DEBUG MODE + USER INPUT EXECUTION | ||||||||||||||||
| @app.route("/debug") | ||||||||||||||||
| def debug(): | ||||||||||||||||
| cmd = request.args.get("cmd") | ||||||||||||||||
| return os.popen(cmd).read() | ||||||||||||||||
|
Comment on lines
+59
to
+63
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: git ls-files | grep -E "(vul|debug)" | head -20Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 93 🏁 Script executed: find . -name "vul.py" -o -name "*vul*" 2>/dev/null | head -20Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 95 🏁 Script executed: # Search for Flask debug routes or os.popen usage
rg "os\.popen|@app\.route.*debug" -A 3 -B 1Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 333 🏁 Script executed: cat -n vul.py | head -70Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 1875 🏁 Script executed: # Check Flask app setup and any middleware/auth
rg "def.*auth|@.*auth|before_request|after_request" vul.py -B 2 -A 2Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 69 Remove the This provides unauthenticated RCE. The 🔧 Proposed fix-@app.route("/debug")
-def debug():
- cmd = request.args.get("cmd")
- return os.popen(cmd).read()📝 Committable suggestion
Suggested change
🧰 Tools🪛 Ruff (0.14.14)[error] 63-63: Starting a process with a shell, possible injection detected (S605) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| # 🔟 OVERLY BROAD EXCEPTION (ERROR HIDING) | ||||||||||||||||
| def divide(a, b): | ||||||||||||||||
| try: | ||||||||||||||||
| return a / b | ||||||||||||||||
| except: | ||||||||||||||||
| return None | ||||||||||||||||
|
Comment on lines
+66
to
+71
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: # First, let's find and examine vul.py
fd vul.py -t fRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 93 🏁 Script executed: # Read vul.py to examine the code at lines 66-71
cat -n vul.py | sed -n '60,75p'Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 498 Avoid bare Catching everything masks bugs; handle specific exceptions and let others surface. 🔧 Proposed fix try:
return a / b
- except:
+ except ZeroDivisionError:
return None🧰 Tools🪛 Ruff (0.14.14)[error] 70-70: Do not use bare (E722) 🤖 Prompt for AI Agents |
||||||||||||||||
|
|
||||||||||||||||
|
|
||||||||||||||||
| if __name__ == "__main__": | ||||||||||||||||
| # 11️⃣ DEBUG MODE ENABLED | ||||||||||||||||
| app.run(host="0.0.0.0", port=5000, debug=True) | ||||||||||||||||
|
Comment on lines
+75
to
+77
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: cat -n vul.py | sed -n '70,80p'Repository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 305 🏁 Script executed: # Check if os module is imported
rg "^import os|^from os" vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 96 🏁 Script executed: # Get full context of the file
wc -l vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 96 🏁 Script executed: head -30 vul.pyRepository: AbhishekPrecogsAI/Mern-stack-Authentication Length of output: 675 Don't run Flask with 🔧 Safer defaults if __name__ == "__main__":
- app.run(host="0.0.0.0", port=5000, debug=True)
+ debug = os.getenv("FLASK_DEBUG") == "1"
+ host = os.getenv("FLASK_HOST", "127.0.0.1")
+ app.run(host=host, port=5000, debug=debug)📝 Committable suggestion
Suggested change
🧰 Tools🪛 ast-grep (0.40.5)[warning] 76-76: Running flask app with host 0.0.0.0 could expose the server publicly. (avoid_app_run_with_bad_host-python) [warning] 76-76: Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables. (debug-enabled-python) 🪛 Ruff (0.14.14)[error] 77-77: Possible binding to all interfaces (S104) [error] 77-77: Use of (S201) 🤖 Prompt for AI Agents |
||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🧩 Analysis chain
🏁 Script executed:
Repository: AbhishekPrecogsAI/Mern-stack-Authentication
Length of output: 95
🏁 Script executed:
Repository: AbhishekPrecogsAI/Mern-stack-Authentication
Length of output: 93
🏁 Script executed:
cat -n vul.py | head -25Repository: AbhishekPrecogsAI/Mern-stack-Authentication
Length of output: 664
This is intentional test code—add an import guard to prevent accidental deployment.
The hardcoded
API_KEYis confirmed at line 16 and is intentionally vulnerable for testing/education purposes. However, add a safeguard to prevent this file from being accidentally imported in production environments:Alternatively, document clearly in the module docstring and repository that this file must never be deployed to production, or use a naming convention (e.g.,
test_vul.pyor place in atests/directory) to prevent accidental import.🧰 Tools
🪛 Gitleaks (8.30.0)
[high] 16-16: Found a Stripe Access Token, posing a risk to payment processing services and sensitive financial data.
(stripe-access-token)
🤖 Prompt for AI Agents