Create test1.py with intentional variable error #2
Conversation
Added a test file with an intentional error for demonstration.
Fix print statement to correctly reference 'result'.
There was a problem hiding this comment.
Pull request overview
This PR adds two test files containing intentional errors for demonstration purposes. The files include a simple Python script with a variable usage error and a Flask application with multiple security vulnerabilities.
- Added test1.py with an intentional NameError (using undefined variable)
- Added test2.py containing a Flask application with intentional security vulnerabilities (SQL injection, XSS, hard-coded secrets)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| test1.py | Simple Python script demonstrating a variable usage error where 'result' is used before being defined |
| test2.py | Flask web application with intentional security vulnerabilities including SQL injection, XSS, hard-coded API key, and debug mode enabled |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| app = Flask(__name__) | ||
|
|
||
| # INTENTIONAL_VULN: hard-coded secret | ||
| API_KEY = "supersecretapikey123" # INTENTIONAL_VULN: HARD_CODED_SECRET |
There was a problem hiding this comment.
Hard-coded API key is a security risk. Sensitive credentials should be stored in environment variables or a secure secrets management system, not committed to source code.
| app = Flask(__name__) | |
| # INTENTIONAL_VULN: hard-coded secret | |
| API_KEY = "supersecretapikey123" # INTENTIONAL_VULN: HARD_CODED_SECRET | |
| import os | |
| app = Flask(__name__) | |
| # FIXED: API key loaded from environment variable | |
| API_KEY = os.environ.get("API_KEY") |
| sql = "SELECT id, title FROM articles WHERE title LIKE '%" + q + "%';" | ||
| cursor.execute(sql) |
There was a problem hiding this comment.
SQL injection vulnerability detected. User input 'q' is concatenated directly into the SQL query without sanitization or parameterization. Use parameterized queries instead to prevent SQL injection attacks.
| sql = "SELECT id, title FROM articles WHERE title LIKE '%" + q + "%';" | |
| cursor.execute(sql) | |
| sql = "SELECT id, title FROM articles WHERE title LIKE ?;" | |
| cursor.execute(sql, ('%' + q + '%',)) |
| html += "<div><strong>{}</strong>: {}</div>".format(r[0], r[1]) | ||
| return render_template_string(html) |
There was a problem hiding this comment.
Cross-Site Scripting (XSS) vulnerability. Database content is rendered directly into the HTML template without escaping, allowing malicious scripts in the database to execute in users' browsers. The data should be properly escaped or use a safer templating approach.
| conn.execute("INSERT INTO articles (title) VALUES ('Hello World');") | ||
| conn.commit() | ||
| conn.close() | ||
| app.run(debug=True) |
There was a problem hiding this comment.
Running Flask with debug=True in production is a security risk. Debug mode exposes sensitive information and provides an interactive debugger that could be exploited. This should only be enabled in development environments.
| conn = sqlite3.connect('test.db') | ||
| return conn | ||
|
|
||
| @app.route("/search") |
There was a problem hiding this comment.
Missing authentication check on the search endpoint. The route is publicly accessible without any authorization, which may expose sensitive data or functionality.
| @@ -0,0 +1,38 @@ | |||
| # app.py | |||
| # INTENTIONAL_VULN: HARD_CODED_SECRET, SQL_INJECTION, STORED_XSS | |||
| from flask import Flask, request, render_template_string | |||
There was a problem hiding this comment.
The import 'render_template_string' is used in an unsafe manner in this code. Consider whether this import is necessary or if safer alternatives like 'render_template' with automatic escaping should be used instead.
| @@ -0,0 +1,8 @@ | |||
| # Intentional error: variable 'result' is used before being defined , | |||
There was a problem hiding this comment.
Trailing comma found at the end of the comment. This should be removed for cleaner documentation.
| # Intentional error: variable 'result' is used before being defined , | |
| # Intentional error: variable 'result' is used before being defined |
| print("Sum is the:", result) # <-- ERROR: 'result' is not defined | ||
|
|
||
| result = add_numbers(5, 10) |
There was a problem hiding this comment.
The variable 'result' is used before it is defined. This will cause a NameError at runtime since 'result' is only assigned on line 8.
| print("Sum is the:", result) # <-- ERROR: 'result' is not defined | |
| result = add_numbers(5, 10) | |
| result = add_numbers(5, 10) | |
| print("Sum is the:", result) |
syed-mohsin-s
left a comment
syed-mohsin-s
left a comment
There was a problem hiding this comment.
Please fix conflicts
syed-mohsin-s
left a comment
syed-mohsin-s
left a comment
There was a problem hiding this comment.
Please fix conflicts
syed-mohsin-s
left a comment
syed-mohsin-s
left a comment
There was a problem hiding this comment.
Review complete. No critical logic errors explicitly flagged.
1 participant
Added a test file with an intentional error for demonstration(low) .