Skip to content

Create test1.py with intentional variable error #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
syed-mohsin-s wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Create test1.py with intentional variable error #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
53d74f0
Create test1.py with intentional variable error
syed-mohsin-s Nov 19, 2025
c12c6c2
Fix comment typo in test1.py
syed-mohsin-s Nov 19, 2025
813ba70
Correct print statement for undefined variable
syed-mohsin-s Nov 22, 2025
68d426c
Implement Flask app
syed-mohsin-s Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions test1.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Intentional error: variable 'result' is used before being defined ,
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Trailing comma found at the end of the comment. This should be removed for cleaner documentation.

Suggested change
# Intentional error: variable 'result' is used before being defined ,
# Intentional error: variable 'result' is used before being defined

Copilot uses AI. Check for mistakes.

def add_numbers(a, b):
return a + b

print("Sum is the:", result) # <-- ERROR: 'result' is not defined

result = add_numbers(5, 10)
Comment on lines +6 to +8
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable 'result' is used before it is defined. This will cause a NameError at runtime since 'result' is only assigned on line 8.

Suggested change
print("Sum is the:", result) # <-- ERROR: 'result' is not defined
result = add_numbers(5, 10)
result = add_numbers(5, 10)
print("Sum is the:", result)

Copilot uses AI. Check for mistakes.
38 changes: 38 additions & 0 deletions test2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# app.py
# INTENTIONAL_VULN: HARD_CODED_SECRET, SQL_INJECTION, STORED_XSS
from flask import Flask, request, render_template_string
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The import 'render_template_string' is used in an unsafe manner in this code. Consider whether this import is necessary or if safer alternatives like 'render_template' with automatic escaping should be used instead.

Copilot uses AI. Check for mistakes.
import sqlite3

app = Flask(__name__)

# INTENTIONAL_VULN: hard-coded secret
API_KEY = "supersecretapikey123" # INTENTIONAL_VULN: HARD_CODED_SECRET
Comment on lines +5 to +9
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hard-coded API key is a security risk. Sensitive credentials should be stored in environment variables or a secure secrets management system, not committed to source code.

Suggested change
app = Flask(__name__)
# INTENTIONAL_VULN: hard-coded secret
API_KEY = "supersecretapikey123" # INTENTIONAL_VULN: HARD_CODED_SECRET
import os
app = Flask(__name__)
# FIXED: API key loaded from environment variable
API_KEY = os.environ.get("API_KEY")

Copilot uses AI. Check for mistakes.

def get_db():
conn = sqlite3.connect('test.db')
return conn

@app.route("/search")
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing authentication check on the search endpoint. The route is publicly accessible without any authorization, which may expose sensitive data or functionality.

Copilot uses AI. Check for mistakes.
def search():
q = request.args.get("q", "")
# INTENTIONAL_VULN: SQL concatenation (SQL Injection)
conn = get_db()
cursor = conn.cursor()
sql = "SELECT id, title FROM articles WHERE title LIKE '%" + q + "%';"
cursor.execute(sql)
Comment on lines +21 to +22
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SQL injection vulnerability detected. User input 'q' is concatenated directly into the SQL query without sanitization or parameterization. Use parameterized queries instead to prevent SQL injection attacks.

Suggested change
sql = "SELECT id, title FROM articles WHERE title LIKE '%" + q + "%';"
cursor.execute(sql)
sql = "SELECT id, title FROM articles WHERE title LIKE ?;"
cursor.execute(sql, ('%' + q + '%',))

Copilot uses AI. Check for mistakes.
results = cursor.fetchall()
conn.close()
# INTENTIONAL_VULN: using render_template_string with user data (stored XSS risk when content comes from DB)
html = "<h1>Search results</h1>"
for r in results:
html += "<div><strong>{}</strong>: {}</div>".format(r[0], r[1])
return render_template_string(html)
Comment on lines +28 to +29
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cross-Site Scripting (XSS) vulnerability. Database content is rendered directly into the HTML template without escaping, allowing malicious scripts in the database to execute in users' browsers. The data should be properly escaped or use a safer templating approach.

Copilot uses AI. Check for mistakes.

if __name__ == "__main__":
# create db for testing (unsafe convenience code)
conn = sqlite3.connect('test.db')
conn.execute("CREATE TABLE IF NOT EXISTS articles (id INTEGER PRIMARY KEY, title TEXT);")
conn.execute("INSERT INTO articles (title) VALUES ('Hello World');")
conn.commit()
conn.close()
app.run(debug=True)
Copy link

Copilot AI Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running Flask with debug=True in production is a security risk. Debug mode exposes sensitive information and provides an interactive debugger that could be exploited. This should only be enabled in development environments.

Copilot uses AI. Check for mistakes.