Initial commit

This commit is contained in:
Tanguy Duhamel
2025-09-29 21:26:41 +02:00
parent f0fd367ed8
commit 323a434c73
208 changed files with 72069 additions and 53 deletions
+54
View File
@@ -0,0 +1,54 @@
#!/usr/bin/env python3
# Copyright (c) 2025 FuzzingLabs
#
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
# at the root of this repository for details.
#
# After the Change Date (four years from publication), this version of the
# Licensed Work will be made available under the Apache License, Version 2.0.
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
#
# Additional attribution and requirements are provided in the NOTICE file.
"""
Test vulnerable application for FuzzForge security scanning.
Contains intentional security vulnerabilities for testing purposes.
"""
import os
import subprocess
import sqlite3
# Hardcoded secrets (for secret detection testing)
API_KEY = "sk-1234567890abcdef1234567890abcdef"
DATABASE_PASSWORD = "admin123"
JWT_SECRET = "my-super-secret-jwt-key-dont-tell-anyone"
def unsafe_sql_query(user_id):
"""SQL injection vulnerability"""
conn = sqlite3.connect("test.db")
cursor = conn.cursor()
# Vulnerable: direct string interpolation
query = f"SELECT * FROM users WHERE id = {user_id}"
cursor.execute(query)
return cursor.fetchall()
def unsafe_command_execution(filename):
"""Command injection vulnerability"""
# Vulnerable: unsanitized user input in shell command
result = subprocess.run(f"ls -la {filename}", shell=True, capture_output=True)
return result.stdout
def unsafe_file_access(filepath):
"""Path traversal vulnerability"""
# Vulnerable: no path validation
with open(f"/var/app/uploads/{filepath}", "r") as f:
return f.read()
def main():
"""Main application function"""
print("Vulnerable app started")
print(f"Using API key: {API_KEY}")
if __name__ == "__main__":
main()