mirror of
https://github.com/FuzzingLabs/fuzzforge_ai.git
synced 2026-02-14 17:53:06 +00:00
54 lines
1.7 KiB
Python
54 lines
1.7 KiB
Python
#!/usr/bin/env python3
|
|
# Copyright (c) 2025 FuzzingLabs
|
|
#
|
|
# Licensed under the Business Source License 1.1 (BSL). See the LICENSE file
|
|
# at the root of this repository for details.
|
|
#
|
|
# After the Change Date (four years from publication), this version of the
|
|
# Licensed Work will be made available under the Apache License, Version 2.0.
|
|
# See the LICENSE-APACHE file or http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Additional attribution and requirements are provided in the NOTICE file.
|
|
|
|
"""
|
|
Test vulnerable application for FuzzForge security scanning.
|
|
Contains intentional security vulnerabilities for testing purposes.
|
|
"""
|
|
|
|
import os
|
|
import subprocess
|
|
import sqlite3
|
|
|
|
# Hardcoded secrets (for secret detection testing)
|
|
API_KEY = "sk-1234567890abcdef1234567890abcdef"
|
|
DATABASE_PASSWORD = "admin123"
|
|
JWT_SECRET = "my-super-secret-jwt-key-dont-tell-anyone"
|
|
|
|
def unsafe_sql_query(user_id):
|
|
"""SQL injection vulnerability"""
|
|
conn = sqlite3.connect("test.db")
|
|
cursor = conn.cursor()
|
|
# Vulnerable: direct string interpolation
|
|
query = f"SELECT * FROM users WHERE id = {user_id}"
|
|
cursor.execute(query)
|
|
return cursor.fetchall()
|
|
|
|
def unsafe_command_execution(filename):
|
|
"""Command injection vulnerability"""
|
|
# Vulnerable: unsanitized user input in shell command
|
|
result = subprocess.run(f"ls -la {filename}", shell=True, capture_output=True)
|
|
return result.stdout
|
|
|
|
def unsafe_file_access(filepath):
|
|
"""Path traversal vulnerability"""
|
|
# Vulnerable: no path validation
|
|
with open(f"/var/app/uploads/{filepath}", "r") as f:
|
|
return f.read()
|
|
|
|
def main():
|
|
"""Main application function"""
|
|
print("Vulnerable app started")
|
|
print(f"Using API key: {API_KEY}")
|
|
|
|
if __name__ == "__main__":
|
|
main() |