-
Notifications
You must be signed in to change notification settings - Fork 173
Create coffee_pot.py #5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| import sqlite3 | ||
|
|
||
| # 🚨 Secret issue: hardcoded API key | ||
| API_KEY = "sk_test_51H6rSuperSecretKeyDontHardcode12345" | ||
|
|
||
| def show_coffee_pot(): | ||
| print(""" | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ad-hoc debug print in show_coffee_pot() writes ASCII art to stdout and appears to be a leftover debug artifact. Details🔧 How do I fix it? More info - Comment |
||
| ( ( | ||
| ) ) | ||
| ........ | ||
| | |] | ||
| \ / | ||
| `----' | ||
| """) | ||
|
|
||
| # 🚨 SAST issue #1: SQL Injection risk (unsanitized input in query) | ||
| def get_order(user_input): | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Function Details✨ AI Reasoning 🔧 How do I fix it? More info - Comment |
||
| conn = sqlite3.connect("coffee.db") | ||
| cursor = conn.cursor() | ||
| query = f"SELECT * FROM orders WHERE customer = '{user_input}'" # vulnerable | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Potential SQL injection via string-based query concatenation - critical severity Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is verified or sanitized. As an added layer of protection, we also recommend installing a WAF that blocks SQL injection attacks. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The SQL query uses unsanitized user input, making it vulnerable to SQL injection attacks. Use parameterized queries to prevent this security risk. |
||
| cursor.execute(query) | ||
| return cursor.fetchall() | ||
|
|
||
| # 🚨 SAST issue #2 + 🚨 Code quality issue: no explanatory comments | ||
| def process_payment(card_number): | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Function Details✨ AI Reasoning 🔧 How do I fix it? More info - Comment |
||
| if len(card_number) < 16: | ||
| return False | ||
| return True | ||
|
|
||
|
|
||
| if __name__ == "__main__": | ||
| show_coffee_pot() | ||
| name = input("Enter your name: ") | ||
| print(get_order(name)) | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ad-hoc debug print of get_order(name) in main writes query results to stdout and appears to be a leftover debug artifact. Details🔧 How do I fix it? More info - Comment |
||
| print(process_payment("1234-5678-9012-3456")) | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The API key is hardcoded in the source code, which poses a security risk by exposing sensitive information. It should be stored securely, such as in environment variables.