0d3cb498a3
Deploy local.promptfoo.app / Deploy to Cloudflare Pages (push) Waiting to run
Test and Publish Multi-arch Docker Image / test (push) Waiting to run
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-amd64 platform:linux/amd64 runner:ubuntu-latest]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / build-docker-and-push-digests (map[digest-suffix:linux-arm64 platform:linux/arm64 runner:ubuntu-24.04-arm]) (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / merge-docker-digests (push) Blocked by required conditions
Test and Publish Multi-arch Docker Image / Attest Multi-arch Image (push) Blocked by required conditions
Validate Renovate Config / Validate Renovate Configuration (push) Waiting to run
CI / Shell Format Check (push) Has been cancelled
CI / Check Ruby (3.4) (push) Has been cancelled
CI / CI Config (push) Has been cancelled
CI / Test on Node ${{ matrix.node }} and ${{ matrix.os }}${{ matrix.shard && format(' (shard {0}/3)', matrix.shard) || '' }} (push) Has been cancelled
CI / Build on Node ${{ matrix.node }} (push) Has been cancelled
CI / Style Check (push) Has been cancelled
CI / Generate Assets (push) Has been cancelled
CI / Check Python (3.14) (push) Has been cancelled
CI / Check Python (3.9) (push) Has been cancelled
CI / Build Docs (push) Has been cancelled
CI / Code Scan Action (push) Has been cancelled
CI / Site tests (push) Has been cancelled
CI / webui tests (push) Has been cancelled
CI / Run Integration Tests (push) Has been cancelled
CI / Run Smoke Tests (push) Has been cancelled
CI / Go Tests (push) Has been cancelled
CI / Share Test (push) Has been cancelled
CI / Redteam (Production API) (push) Has been cancelled
CI / Redteam (Staging API) (push) Has been cancelled
CI / GitHub Actions Lint (push) Has been cancelled
CI / Check Ruby (3.0) (push) Has been cancelled
release-please / release-please (push) Has been cancelled
release-please / build (push) Has been cancelled
release-please / publish-npm (push) Has been cancelled
release-please / publish-npm-backfill (push) Has been cancelled
release-please / docker (push) Has been cancelled
release-please / publish-code-scan-action (push) Has been cancelled
release-please / attest-code-scan-action (push) Has been cancelled
62 lines
2.2 KiB
Python
62 lines
2.2 KiB
Python
"""User service with intentional bugs for testing.
|
|
|
|
SECURITY NOTE: This file contains intentional security vulnerabilities for
|
|
testing purposes. It is used to evaluate security scanning capabilities of
|
|
agentic code analysis tools. Do not use in production.
|
|
|
|
codeql[py/weak-cryptographic-algorithm]: Intentional vulnerability for testing
|
|
"""
|
|
|
|
import hashlib
|
|
from typing import Dict, List, Optional
|
|
|
|
|
|
class UserService:
|
|
def __init__(self):
|
|
self.users: Dict[str, Dict] = {}
|
|
self.sessions: List[str] = []
|
|
|
|
def create_user(self, username: str, password: str, email: str) -> bool:
|
|
"""Create a new user account."""
|
|
if username in self.users:
|
|
return False
|
|
|
|
# BUG: Using MD5 for password hashing (insecure)
|
|
# codeql[py/weak-cryptographic-algorithm]: Intentional vulnerability for testing
|
|
password_hash = hashlib.md5(password.encode()).hexdigest()
|
|
|
|
self.users[username] = {
|
|
"email": email,
|
|
"password": password_hash,
|
|
"active": True,
|
|
}
|
|
return True
|
|
|
|
def authenticate(self, username: str, password: str) -> Optional[str]:
|
|
"""Authenticate user and return session token."""
|
|
if username not in self.users:
|
|
return None
|
|
|
|
# BUG: Timing attack vulnerability - should use constant-time comparison
|
|
# codeql[py/weak-cryptographic-algorithm]: Intentional vulnerability for testing
|
|
password_hash = hashlib.md5(password.encode()).hexdigest()
|
|
if self.users[username]["password"] == password_hash:
|
|
# BUG: Predictable session token
|
|
session_token = f"{username}_{len(self.sessions)}"
|
|
self.sessions.append(session_token)
|
|
return session_token
|
|
return None
|
|
|
|
def get_user_data(self, username: str) -> Optional[Dict]:
|
|
"""Get user data including password hash (SECURITY ISSUE)."""
|
|
# BUG: Returns password hash to caller
|
|
return self.users.get(username)
|
|
|
|
def delete_user(self, username: str) -> bool:
|
|
"""Delete a user account."""
|
|
if username in self.users:
|
|
del self.users[username]
|
|
# BUG: Doesn't invalidate user's sessions
|
|
return True
|
|
return False
|