b3e8a9a058
Major additions: - Community Next.js app (port 18187) for browsing claims with API docs - stemedb-chaos crate: Fault injection, chaos testing, CRDT properties - Latent ingestion system: Reddit/FDA ingesters with ADK-Go agents - Disputed claims handling: Manual review workflows and validation - Aphoria security scanner: New extractors (SQL injection, command injection, weak crypto, TLS version), policy-based ignores, UAT reports - Docker infrastructure: Dockerfile, docker-compose.yml for full stack - VulnBank demo: Intentionally vulnerable multi-language test corpus SDK & API enhancements: - Source registry handlers for tracking data provenance - Metrics endpoint - Skeptic filtering improvements Code quality: - Split 14 large files (>500 lines) into focused modules - All files now under 500-line limit per project guidelines Documentation: - Chaos testing guide, circuit breakers, observability docs - Phase 7 UAT documentation updates - Martin Kleppmann technical writer agent Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
63 lines
1.7 KiB
Python
63 lines
1.7 KiB
Python
"""
|
|
VulnBank - Flask Application with intentional vulnerabilities
|
|
|
|
Vulnerabilities:
|
|
- TLS verification disabled
|
|
- Hardcoded secrets
|
|
- No rate limiting
|
|
"""
|
|
|
|
import requests
|
|
from flask import Flask, request, jsonify
|
|
|
|
app = Flask(__name__)
|
|
|
|
# BLOCK: Hardcoded secret key in source code
|
|
SECRET_KEY = "my_super_secret_key_12345"
|
|
app.config['SECRET_KEY'] = SECRET_KEY
|
|
|
|
|
|
def fetch_external_data(url: str) -> dict:
|
|
"""
|
|
VULNERABILITY: TLS certificate verification disabled
|
|
Allows man-in-the-middle attacks
|
|
"""
|
|
# BLOCK: verify=False disables TLS certificate verification
|
|
response = requests.get(url, verify=False)
|
|
return response.json()
|
|
|
|
|
|
def call_payment_api(amount: float, card_token: str) -> dict:
|
|
"""
|
|
VULNERABILITY: No TLS verification on payment API
|
|
Credit card data can be intercepted
|
|
"""
|
|
# BLOCK: verify=False on payment endpoint - critical vulnerability
|
|
response = requests.post(
|
|
"https://payment.example.com/charge",
|
|
json={"amount": amount, "token": card_token},
|
|
verify=False
|
|
)
|
|
return response.json()
|
|
|
|
|
|
@app.route('/api/data')
|
|
def get_data():
|
|
"""No rate limiting - vulnerable to abuse"""
|
|
# BLOCK: No rate limiting configured - API abuse possible
|
|
url = request.args.get('url', 'https://api.example.com/data')
|
|
return jsonify(fetch_external_data(url))
|
|
|
|
|
|
@app.route('/api/pay', methods=['POST'])
|
|
def process_payment():
|
|
"""Process payment with insecure TLS"""
|
|
data = request.get_json()
|
|
result = call_payment_api(data['amount'], data['card_token'])
|
|
return jsonify(result)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
# BLOCK: Debug mode enabled in production
|
|
app.run(debug=True, host='0.0.0.0', port=5000)
|