adversarial-sast / examples.py
Ferr0's picture
Adversarial SAST β€” two-stage detect+refute (Qwen2.5-Coder-7B + Outlines)
e1e5740 verified
Raw
History Blame Contribute Delete
1.87 kB
"""Fictional code snippets β€” generic, portfolio-safe. Each mixes real vulns with
traps (false positives) so the adversarial verification has something to kill."""
# Default: one false positive (SQLi neutralized by int()) + one real bug (command
# injection). In OFF the detector flags both; in ON the SQLi gets refuted, the
# command injection confirmed β€” the contrast, side by side.
MIXED_PY = '''import os
from flask import request
def get_user(db):
uid = int(request.args.get("id")) # validated to int
q = "SELECT * FROM users WHERE id = " + str(uid) # looks like SQLi, but uid is an int
return db.execute(q).fetchall()
def ping(host):
os.system("ping -c 1 " + host) # host is never sanitized
'''
# Real DOM XSS.
XSS_JS = '''function showTab() {
const name = location.hash.slice(1);
document.getElementById("title").innerHTML = name; // unsanitized -> DOM XSS
}
'''
# Dead code trap: the vulnerable function is never called.
DEADCODE_PY = '''def _legacy_read(path): # not referenced anywhere
return open("/data/" + path).read() # path traversal β€” but dead code
def read_config():
return open("/data/config.yml").read() # fixed path, safe
'''
# Everything is actually safe β€” the verifier should refute all candidates.
SAFE_PY = '''import subprocess
from shlex import quote
def backup(name: str):
if not name.isalnum():
raise ValueError("bad name")
subprocess.run(["tar", "czf", f"{name}.tgz", "data/"], check=True) # no shell, validated
'''
# [code, language, verify]
EXAMPLES = [
[MIXED_PY, "python", True], # one FP + one real bug, verified side by side
[MIXED_PY, "python", False], # same input, raw detector β€” see the noise
[XSS_JS, "javascript", True],
[DEADCODE_PY, "python", True],
[SAFE_PY, "python", True],
]