Spaces:
Running on Zero
Running on Zero
File size: 1,866 Bytes
e1e5740 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 | """Fictional code snippets — generic, portfolio-safe. Each mixes real vulns with
traps (false positives) so the adversarial verification has something to kill."""
# Default: one false positive (SQLi neutralized by int()) + one real bug (command
# injection). In OFF the detector flags both; in ON the SQLi gets refuted, the
# command injection confirmed — the contrast, side by side.
MIXED_PY = '''import os
from flask import request
def get_user(db):
uid = int(request.args.get("id")) # validated to int
q = "SELECT * FROM users WHERE id = " + str(uid) # looks like SQLi, but uid is an int
return db.execute(q).fetchall()
def ping(host):
os.system("ping -c 1 " + host) # host is never sanitized
'''
# Real DOM XSS.
XSS_JS = '''function showTab() {
const name = location.hash.slice(1);
document.getElementById("title").innerHTML = name; // unsanitized -> DOM XSS
}
'''
# Dead code trap: the vulnerable function is never called.
DEADCODE_PY = '''def _legacy_read(path): # not referenced anywhere
return open("/data/" + path).read() # path traversal — but dead code
def read_config():
return open("/data/config.yml").read() # fixed path, safe
'''
# Everything is actually safe — the verifier should refute all candidates.
SAFE_PY = '''import subprocess
from shlex import quote
def backup(name: str):
if not name.isalnum():
raise ValueError("bad name")
subprocess.run(["tar", "czf", f"{name}.tgz", "data/"], check=True) # no shell, validated
'''
# [code, language, verify]
EXAMPLES = [
[MIXED_PY, "python", True], # one FP + one real bug, verified side by side
[MIXED_PY, "python", False], # same input, raw detector — see the noise
[XSS_JS, "javascript", True],
[DEADCODE_PY, "python", True],
[SAFE_PY, "python", True],
]
|