From 4f64fbf9b3ace826e993b2af5ab8c4492ed05084 Mon Sep 17 00:00:00 2001
From: Nikoloz Demchenko <nikoloz.d@iamops.io>
Date: Thu, 13 Jun 2024 12:12:46 +0400
Subject: [PATCH 1/3] Update app.py

---
 app.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/app.py b/app.py
index 36721a06..141a54a8 100644
--- a/app.py
+++ b/app.py
@@ -2,6 +2,8 @@
 from flask import Flask
 app = Flask(__name__)
 
+password = "1231231231"
+api_key = "12312312334"
 @app.route("/")
 def main():
     return "Welcome!"

From d8b3f96562cead6b7e0d65764a3aa13b3201dce7 Mon Sep 17 00:00:00 2001
From: Nikoloz Demchenko <nikoloz.d@iamops.io>
Date: Thu, 13 Jun 2024 13:12:44 +0400
Subject: [PATCH 2/3] Update app.py

---
 app.py | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/app.py b/app.py
index 141a54a8..46cfcda6 100644
--- a/app.py
+++ b/app.py
@@ -1,16 +1,34 @@
 import os
-from flask import Flask
+from flask import Flask, request
+
 app = Flask(__name__)
 
-password = "1231231231"
-api_key = "12312312334"
 @app.route("/")
 def main():
+    # Insecure Configuration: Enabling debug mode in production
+    app.config['DEBUG'] = True
     return "Welcome!"
 
 @app.route('/how are you')
 def hello():
-    return 'I am good, how about you?'
+    # Command Injection: Using os.system with unsanitized input
+    name = request.args.get('name')
+    os.system(f'echo {name}')
+    return f'I am good, how about you, {name}?'
+
+@app.route('/search')
+def search():
+    # SQL Injection: Simulating a vulnerable SQL query
+    query = request.args.get('query')
+    sql_query = f"SELECT * FROM users WHERE name = '{query}'"
+    # In a real application, this would be an insecure database query
+    return f"Searching for: {sql_query}"
+
+@app.route('/xss')
+def xss():
+    # Cross-Site Scripting (XSS): Returning unsanitized user input
+    user_input = request.args.get('input')
+    return f"<h1>{user_input}</h1>"
 
 if __name__ == "__main__":
     app.run(host="0.0.0.0", port=8080)

From 441566110d7ca9b3eb51c9ddb744030d112f1271 Mon Sep 17 00:00:00 2001
From: Nikoloz Demchenko <nikoloz.d@iamops.io>
Date: Thu, 13 Jun 2024 15:07:53 +0400
Subject: [PATCH 3/3] Update requirements.txt

---
 requirements.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/requirements.txt b/requirements.txt
index e3e9a71d..ae8cebaf 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1 +1,2 @@
 Flask
+Cors