From 86ab974b8070c6b4df4e69f1b60dcdf3ec9ba361 Mon Sep 17 00:00:00 2001
From: Steven Susanto <steven.susanto20@gmail.com>
Date: Mon, 2 Mar 2026 11:15:31 -0500
Subject: [PATCH] command injection and hardcoded secret

---
 command_injection_vuln.py | 11 +++++++++++
 hardcoded_secret_vuln.py  | 11 +++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 command_injection_vuln.py
 create mode 100644 hardcoded_secret_vuln.py

diff --git a/command_injection_vuln.py b/command_injection_vuln.py
new file mode 100644
index 0000000..3a7f435
--- /dev/null
+++ b/command_injection_vuln.py
@@ -0,0 +1,11 @@
+# command_injection_vuln.py
+import os
+
+def ping_host(host):
+    # Vulnerable to command injection
+    command = f"ping -c 1 {host}"
+    os.system(command)
+
+if __name__ == "__main__":
+    target = input("Enter host to ping: ")
+    ping_host(target)
diff --git a/hardcoded_secret_vuln.py b/hardcoded_secret_vuln.py
new file mode 100644
index 0000000..a55b7f6
--- /dev/null
+++ b/hardcoded_secret_vuln.py
@@ -0,0 +1,11 @@
+# hardcoded_secret_vuln.py
+
+# Hardcoded secrets
+API_KEY = "sk_test_1234567890abcdef"
+DB_PASSWORD = "SuperSecretPassword123!"
+
+def connect():
+    print("Connecting with password:", DB_PASSWORD)
+
+if __name__ == "__main__":
+    connect()