"""Fictional code snippets — generic, portfolio-safe. Each mixes real vulns with traps (false positives) so the adversarial verification has something to kill.""" # Default: one false positive (SQLi neutralized by int()) + one real bug (command # injection). In OFF the detector flags both; in ON the SQLi gets refuted, the # command injection confirmed — the contrast, side by side. MIXED_PY = '''import os from flask import request def get_user(db): uid = int(request.args.get("id")) # validated to int q = "SELECT * FROM users WHERE id = " + str(uid) # looks like SQLi, but uid is an int return db.execute(q).fetchall() def ping(host): os.system("ping -c 1 " + host) # host is never sanitized ''' # Real DOM XSS. XSS_JS = '''function showTab() { const name = location.hash.slice(1); document.getElementById("title").innerHTML = name; // unsanitized -> DOM XSS } ''' # Dead code trap: the vulnerable function is never called. DEADCODE_PY = '''def _legacy_read(path): # not referenced anywhere return open("/data/" + path).read() # path traversal — but dead code def read_config(): return open("/data/config.yml").read() # fixed path, safe ''' # Everything is actually safe — the verifier should refute all candidates. SAFE_PY = '''import subprocess from shlex import quote def backup(name: str): if not name.isalnum(): raise ValueError("bad name") subprocess.run(["tar", "czf", f"{name}.tgz", "data/"], check=True) # no shell, validated ''' # [code, language, verify] EXAMPLES = [ [MIXED_PY, "python", True], # one FP + one real bug, verified side by side [MIXED_PY, "python", False], # same input, raw detector — see the noise [XSS_JS, "javascript", True], [DEADCODE_PY, "python", True], [SAFE_PY, "python", True], ]