From 3cc7ac37e45e3291fa005ed62c60b79bc1aea557 Mon Sep 17 00:00:00 2001
From: Sean Casey <sean.casey@checkmarx.com>
Date: Wed, 26 Feb 2025 11:56:00 -0500
Subject: [PATCH 1/2] add Dockerfile

---
 .github/workflows/main.yml | 1 +
 .vscode/settings.json      | 3 +++
 2 files changed, 4 insertions(+)
 create mode 100644 .vscode/settings.json

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index eb528375..11b35b43 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -3,6 +3,7 @@ name: CxFlow
 
 # Controls when the action will run. Triggers the workflow on push or pull request
 # events but only for the master branch
+# comment
 on:
   push:
     branches: [ master ]
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 00000000..2b37e7d1
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "CheckmarxSecurityChampion.key": "sk-proj-pNHtnWny3bvPN2slWbeNT3BlbkFJ7HTv6G6iIJ4xsMW8uWgR"
+}
\ No newline at end of file

From 33480675edf5d8c113cb3dccfcf9d59bb9b3d553 Mon Sep 17 00:00:00 2001
From: Sean Casey <sean.casey@checkmarx.com>
Date: Wed, 26 Feb 2025 12:23:47 -0500
Subject: [PATCH 2/2] reinserting vulnerability

---
 WebGoat/App_Code/DB/MySqlDbProvider.cs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/WebGoat/App_Code/DB/MySqlDbProvider.cs b/WebGoat/App_Code/DB/MySqlDbProvider.cs
index 0bc79812..1a738c9e 100644
--- a/WebGoat/App_Code/DB/MySqlDbProvider.cs
+++ b/WebGoat/App_Code/DB/MySqlDbProvider.cs
@@ -347,7 +347,7 @@ public string GetPasswordByEmail(string email)
             string result = string.Empty;
             try
             {
-            
+
                 using (MySqlConnection connection = new MySqlConnection(_connectionString))
                 {
                     //get data
@@ -365,6 +365,11 @@ public string GetPasswordByEmail(string email)
                     string encoded_password = ds.Tables[0].Rows[0]["Password"].ToString();
                     string decoded_password = Encoder.Decode(encoded_password);
                     result = decoded_password;
+                    string sql = "select * from CustomerLogin where email = @Email;";
+                    MySqlCommand command = new MySqlCommand(sql, connection);
+                    command.Parameters.AddWithValue("@Email", email);
+
+                    // continue with executing the query
                 }
             }
             catch (Exception ex)