Coverage for src/alprina_cli/demo_app/vulnerable_app.py: 0%

33 statements  

« prev     ^ index     » next       coverage.py v7.11.3, created at 2025-11-14 11:27 +0100

1""" 

2Demo vulnerable application for Alprina tutorial. 

3Contains intentional security issues for educational purposes. 

4 

5⚠️ WARNING: This code contains INTENTIONAL vulnerabilities! 

6DO NOT use any patterns from this file in production code. 

7 

8NOTE: The "secrets" in this file are fake examples for teaching. 

9They are not real credentials and are safe to commit. 

10""" 

11 

12# droid-shield:disable-file # This file intentionally contains fake vulnerabilities for education 

13 

14# Issue 1: SQL Injection (CRITICAL) 

15def login_user(username, password): 

16 """ 

17 VULNERABLE: String concatenation in SQL query. 

18 An attacker can inject SQL code to bypass authentication. 

19 """ 

20 # BAD: Using f-string with user input 

21 query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'" 

22 cursor.execute(query) 

23 return cursor.fetchone() 

24 

25# Issue 2: Hardcoded Secret (CRITICAL) 

26JWT_SECRET = "super_secret_key_12345" # VULNERABLE: Hardcoded secret in source code 

27 

28# Issue 3: XSS Vulnerability (CRITICAL) 

29from flask import Flask, request 

30app = Flask(__name__) 

31 

32@app.route('/comment', methods=['POST']) 

33def post_comment(): 

34 """ 

35 VULNERABLE: Unsanitized user input rendered in HTML. 

36 Allows attackers to inject malicious JavaScript. 

37 """ 

38 comment = request.form['comment'] 

39 # BAD: Direct HTML rendering without sanitization 

40 return f"<div class='comment'>{comment}</div>" 

41 

42# Issue 4: Command Injection (HIGH) 

43import os 

44def ping_server(host): 

45 """ 

46 VULNERABLE: Shell injection via unsanitized input. 

47 Attacker can execute arbitrary system commands. 

48 """ 

49 # BAD: Using shell=True with user input 

50 os.system(f"ping -c 1 {host}") 

51 

52# Issue 5: Path Traversal (HIGH) 

53def read_user_file(filename): 

54 """ 

55 VULNERABLE: Unsanitized path allows reading arbitrary files. 

56 Attacker can use ../../../etc/passwd to read system files. 

57 """ 

58 # BAD: Direct path concatenation 

59 with open(f"./data/{filename}", 'r') as f: 

60 return f.read() 

61 

62# Issue 6: Weak Crypto (HIGH) 

63import hashlib 

64def hash_password(password): 

65 """ 

66 VULNERABLE: MD5 is cryptographically broken. 

67 Passwords can be cracked in seconds with rainbow tables. 

68 """ 

69 # BAD: Using MD5 for passwords 

70 return hashlib.md5(password.encode()).hexdigest() 

71 

72# Issue 7: Debug Mode Enabled (HIGH) 

73DEBUG = True # VULNERABLE: Debug mode exposes stack traces and sensitive info 

74 

75# Issue 8: Missing Authentication (MEDIUM) 

76@app.route('/admin/users', methods=['GET']) 

77def get_all_users(): 

78 """ 

79 VULNERABLE: Admin endpoint without authentication. 

80 Anyone can access sensitive user data. 

81 """ 

82 # BAD: No @require_auth decorator 

83 return {"users": User.query.all()} 

84 

85# Issue 9: Insecure Random (MEDIUM) 

86import random 

87def generate_session_token(): 

88 """ 

89 VULNERABLE: Using non-cryptographic random for security token. 

90 Tokens are predictable and can be guessed. 

91 """ 

92 # BAD: random.random() is not cryptographically secure 

93 return str(random.random()) 

94 

95# Issue 10: Missing CSRF Protection (MEDIUM) 

96@app.route('/api/update-email', methods=['POST']) 

97def update_email(): 

98 """ 

99 VULNERABLE: State-changing operation without CSRF token. 

100 Attacker can trick user into changing their email. 

101 """ 

102 new_email = request.form['email'] 

103 # BAD: No CSRF token validation 

104 current_user.email = new_email 

105 current_user.save() 

106 return {"success": True}