Hugging Face's logo

Spaces:
darshanajudiya7
/
python_env
Sleeping

App Files Community
python_env / server /data /snippets_hard.json
darshanajudiya7's picture
darshanajudiya7
Upload folder using huggingface_hub
d25ab77 verified
raw
history blame contribute delete
8.42 kB
[
 {
 "snippet_id": "hard_001",
 "filename": "db.py",
 "code": "def load_user(cursor, user_id):\n query = f\"SELECT * FROM users WHERE id = {user_id}\"\n return cursor.execute(query).fetchone()",
 "context": "Used by an internal admin dashboard.",
 "gold_issues": [
 {
 "issue_id": "hard_001_sqli",
 "line": 2,
 "issue_type": "SECURITY",
 "severity": "CRITICAL",
 "description": "SQL query interpolates user input directly and is vulnerable to SQL injection.",
 "required": true,
 "explanation_keywords": ["sql injection", "parameterized", "query", "interpolate", "user input"],
 "fix_keywords": ["parameterized", "placeholder", "bind", "params"],
 "owasp_category": "A03:2021-Injection",
 "owasp_keywords": ["owasp", "injection", "a03"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_002",
 "filename": "settings.py",
 "code": "API_KEY = \"sk-live-hardcoded-secret\"\n\ndef get_auth_header():\n return {\"Authorization\": f\"Bearer {API_KEY}\"}",
 "gold_issues": [
 {
 "issue_id": "hard_002_secret",
 "line": 1,
 "issue_type": "SECURITY",
 "severity": "HIGH",
 "description": "Hardcoded API secret in source code.",
 "required": true,
 "explanation_keywords": ["hardcoded", "secret", "api key", "credential"],
 "fix_keywords": ["environment", "vault", "secret manager", "config"],
 "owasp_category": "A07:2021-Identification and Authentication Failures",
 "owasp_keywords": ["secret", "credential", "authentication", "owasp"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_003",
 "filename": "storage.py",
 "code": "from pathlib import Path\n\ndef read_report(base_dir, user_filename):\n path = Path(base_dir) / user_filename\n return path.read_text()",
 "gold_issues": [
 {
 "issue_id": "hard_003_path_traversal",
 "line": 4,
 "issue_type": "SECURITY",
 "severity": "HIGH",
 "description": "User-controlled file path can escape the intended directory.",
 "required": true,
 "explanation_keywords": ["path traversal", "directory", "user filename", "path"],
 "fix_keywords": ["resolve", "validate", "allowlist", "basename"],
 "owasp_category": "A01:2021-Broken Access Control",
 "owasp_keywords": ["broken access control", "path traversal", "owasp", "a01"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_004",
 "filename": "net.py",
 "code": "import os\n\ndef ping(hostname):\n return os.system(f\"ping -c 1 {hostname}\")",
 "gold_issues": [
 {
 "issue_id": "hard_004_command_injection",
 "line": 4,
 "issue_type": "SECURITY",
 "severity": "CRITICAL",
 "description": "Shell command is built from user input, allowing command injection.",
 "required": true,
 "explanation_keywords": ["command injection", "shell", "os.system", "user input"],
 "fix_keywords": ["subprocess", "argument list", "shell false", "validate"],
 "owasp_category": "A03:2021-Injection",
 "owasp_keywords": ["owasp", "injection", "a03", "command injection"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_005",
 "filename": "serializer.py",
 "code": "import pickle\n\ndef load_session(user_data):\n return pickle.loads(user_data)",
 "gold_issues": [
 {
 "issue_id": "hard_005_pickle",
 "line": 4,
 "issue_type": "SECURITY",
 "severity": "CRITICAL",
 "description": "Untrusted pickle deserialization can lead to arbitrary code execution.",
 "required": true,
 "explanation_keywords": ["pickle", "deserialization", "arbitrary code", "untrusted"],
 "fix_keywords": ["json", "safe format", "validate", "trusted"],
 "owasp_category": "A08:2021-Software and Data Integrity Failures",
 "owasp_keywords": ["integrity", "deserialization", "owasp", "a08"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_006",
 "filename": "crypto.py",
 "code": "import hashlib\n\ndef hash_password(password):\n return hashlib.md5(password.encode()).hexdigest()",
 "gold_issues": [
 {
 "issue_id": "hard_006_weak_crypto",
 "line": 4,
 "issue_type": "SECURITY",
 "severity": "HIGH",
 "description": "Uses MD5 for password hashing, which is cryptographically weak.",
 "required": true,
 "explanation_keywords": ["md5", "weak", "hash", "password", "crypto"],
 "fix_keywords": ["bcrypt", "argon2", "scrypt", "salt"],
 "owasp_category": "A02:2021-Cryptographic Failures",
 "owasp_keywords": ["cryptographic", "owasp", "a02", "weak crypto"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_007",
 "filename": "shell.py",
 "code": "import subprocess\n\ndef run(cmd):\n return subprocess.run(cmd, shell=True, check=True)",
 "gold_issues": [
 {
 "issue_id": "hard_007_shell_true",
 "line": 4,
 "issue_type": "SECURITY",
 "severity": "CRITICAL",
 "description": "Runs shell commands with shell=True on untrusted input.",
 "required": true,
 "explanation_keywords": ["shell=true", "subprocess", "command injection", "shell"],
 "fix_keywords": ["shell false", "argument list", "validate", "subprocess"],
 "owasp_category": "A03:2021-Injection",
 "owasp_keywords": ["owasp", "injection", "a03", "shell"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_008",
 "filename": "redirects.py",
 "code": "def login_redirect(next_url):\n return {\"location\": next_url, \"status\": 302}",
 "gold_issues": [
 {
 "issue_id": "hard_008_open_redirect",
 "line": 2,
 "issue_type": "SECURITY",
 "severity": "HIGH",
 "description": "Redirect target is fully user-controlled, creating an open redirect.",
 "required": true,
 "explanation_keywords": ["open redirect", "redirect", "next_url", "user controlled"],
 "fix_keywords": ["allowlist", "relative path", "validate", "trusted host"],
 "owasp_category": "A01:2021-Broken Access Control",
 "owasp_keywords": ["owasp", "broken access control", "open redirect", "a01"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_009",
 "filename": "orders.py",
 "code": "def view_order(request, db):\n order_id = request.query_params[\"order_id\"]\n return db.get_order(order_id)",
 "context": "Customer dashboard handler.",
 "gold_issues": [
 {
 "issue_id": "hard_009_idor",
 "line": 3,
 "issue_type": "SECURITY",
 "severity": "HIGH",
 "description": "Looks up an order by user-supplied id without an ownership check, enabling IDOR.",
 "required": true,
 "explanation_keywords": ["idor", "ownership", "authorization", "access control", "order id"],
 "fix_keywords": ["authorize", "ownership", "current user", "scoped query"],
 "owasp_category": "A01:2021-Broken Access Control",
 "owasp_keywords": ["owasp", "broken access control", "idor", "a01"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 },
 {
 "snippet_id": "hard_010",
 "filename": "yaml_loader.py",
 "code": "import yaml\n\ndef parse_config(data):\n return yaml.load(data, Loader=yaml.Loader)",
 "gold_issues": [
 {
 "issue_id": "hard_010_yaml_load",
 "line": 4,
 "issue_type": "SECURITY",
 "severity": "HIGH",
 "description": "Unsafe YAML loader can construct arbitrary Python objects from untrusted input.",
 "required": true,
 "explanation_keywords": ["yaml.load", "unsafe", "loader", "object", "untrusted"],
 "fix_keywords": ["safe_load", "safe loader", "validate", "trusted"],
 "owasp_category": "A08:2021-Software and Data Integrity Failures",
 "owasp_keywords": ["owasp", "integrity", "yaml", "a08"]
 }
 ],
 "must_approve": false,
 "must_reject": true
 }
]