From b378707e78bae00b8340a91ec93a6e8b4284c5eb Mon Sep 17 00:00:00 2001 From: Sam Gutentag <1404219+samgutentag@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:13:59 -0700 Subject: [PATCH 1/6] Add utility script --- bad-code.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 bad-code.py diff --git a/bad-code.py b/bad-code.py new file mode 100644 index 00000000..72b14f52 --- /dev/null +++ b/bad-code.py @@ -0,0 +1,20 @@ +import os +import sqlite3 + +DB_PASSWORD = "super_secret_password_123" +API_KEY = "sk-ant-api03-FAKE1234567890abcdefghijklmnop" + + +def get_user(username): + conn = sqlite3.connect("app.db") + query = f"SELECT * FROM users WHERE username = '{username}'" + conn.execute(query) + return conn.fetchone() + + +def run_command(user_input): + os.system(user_input) + + +def process(data): + return eval(data) From 0dec513871d1bf6e95c1a28cf745d2032ec3cf0a Mon Sep 17 00:00:00 2001 From: Sam Gutentag <1404219+samgutentag@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:20:15 -0700 Subject: [PATCH 2/6] Update bad-code.py Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- bad-code.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-code.py b/bad-code.py index 72b14f52..6de897e8 100644 --- a/bad-code.py +++ b/bad-code.py @@ -1,7 +1,7 @@ import os import sqlite3 -DB_PASSWORD = "super_secret_password_123" +DB_PASSWORD = os.environ.get("DB_PASSWORD") API_KEY = "sk-ant-api03-FAKE1234567890abcdefghijklmnop" From 02b3cba14fbd7fc250e55b55b2f2c62f2a9c6c4e Mon Sep 17 00:00:00 2001 From: Sam Gutentag <1404219+samgutentag@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:20:22 -0700 Subject: [PATCH 3/6] Update bad-code.py Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- bad-code.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-code.py b/bad-code.py index 6de897e8..218a0047 100644 --- a/bad-code.py +++ b/bad-code.py @@ -2,7 +2,7 @@ import sqlite3 DB_PASSWORD = os.environ.get("DB_PASSWORD") -API_KEY = "sk-ant-api03-FAKE1234567890abcdefghijklmnop" +API_KEY = os.environ.get("API_KEY") def get_user(username): From 4c59ddc2a366ad1e93cb62101932528b48a2c0ab Mon Sep 17 00:00:00 2001 From: Sam Gutentag <1404219+samgutentag@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:20:30 -0700 Subject: [PATCH 4/6] Update bad-code.py Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- bad-code.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-code.py b/bad-code.py index 218a0047..43b05d03 100644 --- a/bad-code.py +++ b/bad-code.py @@ -7,7 +7,7 @@ def get_user(username): conn = sqlite3.connect("app.db") - query = f"SELECT * FROM users WHERE username = '{username}'" + query = "SELECT * FROM users WHERE username = ?" conn.execute(query) return conn.fetchone() From 8aea6845207904081ce979ef80333213374e9bd7 Mon Sep 17 00:00:00 2001 From: Sam Gutentag <1404219+samgutentag@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:20:37 -0700 Subject: [PATCH 5/6] Update bad-code.py Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- bad-code.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-code.py b/bad-code.py index 43b05d03..a6cfbfaa 100644 --- a/bad-code.py +++ b/bad-code.py @@ -9,7 +9,7 @@ def get_user(username): conn = sqlite3.connect("app.db") query = "SELECT * FROM users WHERE username = ?" conn.execute(query) - return conn.fetchone() + return conn.execute(query).fetchone() def run_command(user_input): From dc4352f3e72773c36746cf6c80379d922aad166c Mon Sep 17 00:00:00 2001 From: Sam Gutentag <1404219+samgutentag@users.noreply.github.com> Date: Thu, 12 Mar 2026 12:24:22 -0700 Subject: [PATCH 6/6] Update bad-code.py Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com> --- bad-code.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bad-code.py b/bad-code.py index a6cfbfaa..a42aa5e0 100644 --- a/bad-code.py +++ b/bad-code.py @@ -9,7 +9,7 @@ def get_user(username): conn = sqlite3.connect("app.db") query = "SELECT * FROM users WHERE username = ?" conn.execute(query) - return conn.execute(query).fetchone() + return conn.execute(query, (username,)).fetchone() def run_command(user_input):