mirror of
https://github.com/FuzzingLabs/fuzzforge_ai.git
synced 2026-07-10 01:38:37 +02:00
Initial commit
This commit is contained in:
@@ -0,0 +1,54 @@
|
||||
#!/usr/bin/env python3
|
||||
# Copyright (c) 2025 FuzzingLabs
|
||||
#
|
||||
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
|
||||
# at the root of this repository for details.
|
||||
#
|
||||
# After the Change Date (four years from publication), this version of the
|
||||
# Licensed Work will be made available under the Apache License, Version 2.0.
|
||||
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Additional attribution and requirements are provided in the NOTICE file.
|
||||
|
||||
"""
|
||||
Test vulnerable application for FuzzForge security scanning.
|
||||
Contains intentional security vulnerabilities for testing purposes.
|
||||
"""
|
||||
|
||||
import os
|
||||
import subprocess
|
||||
import sqlite3
|
||||
|
||||
# Hardcoded secrets (for secret detection testing)
|
||||
API_KEY = "sk-1234567890abcdef1234567890abcdef"
|
||||
DATABASE_PASSWORD = "admin123"
|
||||
JWT_SECRET = "my-super-secret-jwt-key-dont-tell-anyone"
|
||||
|
||||
def unsafe_sql_query(user_id):
|
||||
"""SQL injection vulnerability"""
|
||||
conn = sqlite3.connect("test.db")
|
||||
cursor = conn.cursor()
|
||||
# Vulnerable: direct string interpolation
|
||||
query = f"SELECT * FROM users WHERE id = {user_id}"
|
||||
cursor.execute(query)
|
||||
return cursor.fetchall()
|
||||
|
||||
def unsafe_command_execution(filename):
|
||||
"""Command injection vulnerability"""
|
||||
# Vulnerable: unsanitized user input in shell command
|
||||
result = subprocess.run(f"ls -la {filename}", shell=True, capture_output=True)
|
||||
return result.stdout
|
||||
|
||||
def unsafe_file_access(filepath):
|
||||
"""Path traversal vulnerability"""
|
||||
# Vulnerable: no path validation
|
||||
with open(f"/var/app/uploads/{filepath}", "r") as f:
|
||||
return f.read()
|
||||
|
||||
def main():
|
||||
"""Main application function"""
|
||||
print("Vulnerable app started")
|
||||
print(f"Using API key: {API_KEY}")
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
||||
Reference in New Issue
Block a user