File size: 1,866 Bytes
e1e5740
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
"""Fictional code snippets — generic, portfolio-safe. Each mixes real vulns with
traps (false positives) so the adversarial verification has something to kill."""

# Default: one false positive (SQLi neutralized by int()) + one real bug (command
# injection). In OFF the detector flags both; in ON the SQLi gets refuted, the
# command injection confirmed — the contrast, side by side.
MIXED_PY = '''import os
from flask import request

def get_user(db):
    uid = int(request.args.get("id"))                 # validated to int
    q = "SELECT * FROM users WHERE id = " + str(uid)  # looks like SQLi, but uid is an int
    return db.execute(q).fetchall()

def ping(host):
    os.system("ping -c 1 " + host)                    # host is never sanitized
'''

# Real DOM XSS.
XSS_JS = '''function showTab() {
  const name = location.hash.slice(1);
  document.getElementById("title").innerHTML = name;  // unsanitized -> DOM XSS
}
'''

# Dead code trap: the vulnerable function is never called.
DEADCODE_PY = '''def _legacy_read(path):                 # not referenced anywhere
    return open("/data/" + path).read()    # path traversal — but dead code

def read_config():
    return open("/data/config.yml").read()  # fixed path, safe
'''

# Everything is actually safe — the verifier should refute all candidates.
SAFE_PY = '''import subprocess
from shlex import quote

def backup(name: str):
    if not name.isalnum():
        raise ValueError("bad name")
    subprocess.run(["tar", "czf", f"{name}.tgz", "data/"], check=True)  # no shell, validated
'''

# [code, language, verify]
EXAMPLES = [
    [MIXED_PY, "python", True],    # one FP + one real bug, verified side by side
    [MIXED_PY, "python", False],   # same input, raw detector — see the noise
    [XSS_JS, "javascript", True],
    [DEADCODE_PY, "python", True],
    [SAFE_PY, "python", True],
]