Test

app.py

@@ -10,23 +10,6 @@
 API_KEY = "SUPER_SECRET_API_KEY_12345"  # Snyk should flag this
 
 
-# --- VULN 2: SQL Injection ---
-def get_user_by_name(username):
-    conn = sqlite3.connect("test.db")
-    cursor = conn.cursor()
-    # Intentionally vulnerable query
-    query = f"SELECT * FROM users WHERE username = '{username}'"
-    cursor.execute(query)
-    result = cursor.fetchall()
-    conn.close()
-    return result
-
-
-@app.route("/user")
-def user():
-    username = request.args.get("username", "test")
-    data = get_user_by_name(username)
-    return {"data": str(data)}
 
 
 # --- VULN 3: Command Injection ---
@@ -49,6 +32,23 @@ def load():
     obj = pickle.loads(bytes.fromhex(raw))
     return {"loaded": str(obj)}
 
+# --- VULN 2: SQL Injection ---
+def get_user_by_name(username):
+    conn = sqlite3.connect("test.db")
+    cursor = conn.cursor()
+    # Intentionally vulnerable query
+    query = f"SELECT * FROM users WHERE username = '{username}'"
+    cursor.execute(query)
+    result = cursor.fetchall()
+    conn.close()
+    return result
+
+
+@app.route("/user")
+def user():
+    username = request.args.get("username", "test")
+    data = get_user_by_name(username)
+    return {"data": str(data)}
 
 # --- VULN 5: Unsafe YAML load ---
 @app.route("/yaml")

pre.py

@@ -0,0 +1,51 @@
+
+import os
+import sqlite3
+import pickle
+
+def process_user_request(user_input, username, raw_data):
+    """
+    This function is intentionally vulnerable.
+    It contains multiple security issues for testing purposes.
+    """
+
+    # 1️⃣ SQL Injection
+    conn = sqlite3.connect("users.db")
+    cursor = conn.cursor()
+    query = f"SELECT * FROM users WHERE username = '{username}'"
+    cursor.execute(query)
+    user_data = cursor.fetchall()
+
+    # 2️⃣ Command Injection
+    command = "echo Processing user && " + user_input
+    os.system(command)
+
+    # 3️⃣ Arbitrary Code Execution via eval
+    try:
+        result = eval(user_input)
+    except Exception:
+        result = None
+
+    # 4️⃣ Insecure Deserialization
+    try:
+        data = pickle.loads(raw_data)
+    except Exception:
+        data = {}
+
+    # 5️⃣ Hardcoded Secret
+    api_key = "sk_test_123456789"
+
+    # 6️⃣ Path Traversal
+    try:
+        with open(f"/tmp/{user_input}.txt", "r") as f:
+            file_data = f.read()
+    except Exception:
+        file_data = ""
+
+    return {
+        "user_data": user_data,
+        "eval_result": result,
+        "deserialized_data": data,
+        "file_data": file_data,
+        "api_key_used": api_key
+    }

test.py

@@ -7,28 +7,6 @@
 import requests
 
 
-# ❌ 1. Hard-coded secret
-SECRET_KEY = "my_super_secret_key_123456"
-
-
-# ❌ 2. Weak password hashing (MD5)
-def hash_password(password: str) -> str:
-    return hashlib.md5(password.encode()).hexdigest()
-
-
-# ❌ 3. Command injection
-def list_files(user_path: str) -> str:
-    # User input directly concatenated into shell command
-    cmd = f"ls -la {user_path}"
-    return subprocess.getoutput(cmd)
-
-
-# ❌ 4. Insecure deserialization (RCE risk)
-def load_user_data(data: bytes):
-    # Untrusted pickle loading
-    return pickle.loads(data)
-
-
 # ❌ 5. Path traversal
 def read_file(filename: str) -> str:
     # No validation on filename
@@ -66,3 +44,25 @@ def save_file(filename: str, content: str):
         f.write(content)
     # World-writable permission
     os.chmod(filename, 0o777)
+
+
+# ❌ 1. Hard-coded secret
+SECRET_KEY = "my_super_secret_key_123456"
+
+
+# ❌ 2. Weak password hashing (MD5)
+def hash_password(password: str) -> str:
+    return hashlib.md5(password.encode()).hexdigest()
+
+
+# ❌ 3. Command injection
+def list_files(user_path: str) -> str:
+    # User input directly concatenated into shell command
+    cmd = f"ls -la {user_path}"
+    return subprocess.getoutput(cmd)
+
+
+# ❌ 4. Insecure deserialization (RCE risk)
+def load_user_data(data: bytes):
+    # Untrusted pickle loading
+    return pickle.loads(data)