wip OWASP sample

Author: makara4code

.claude/settings.local.json

@@ -24,7 +24,13 @@
       "Bash(uv add:*)",
       "Bash(dir:*)",
       "Bash(mkdir:*)",
-      "Bash(uv run pytest:*)"
+      "Bash(uv run pytest:*)",
+      "Bash(del \"c:\\Users\\makara\\Desktop\\full-stack-fastapi-template\\backend\\app\\alembic\\versions\\0e52e71d55df_add_owasp_demo_tables.py\")",
+      "Bash(ls:*)",
+      "Bash(npx @tanstack/router-cli generate)",
+      "Bash(uv run:*)",
+      "Bash(timeout:*)",
+      "Bash(npm install:*)"
     ],
     "deny": [],
     "ask": []

backend/app/alembic/env.py

@@ -23,6 +23,7 @@
 from app.modules.users.models import User  # noqa
 from app.modules.items.models import Item  # noqa
 from app.modules.shortener.models import ShortUrl  # noqa
+from app.modules.owasp_demo.models import SecretDocument, UserNote, AuditLog  # noqa
 from app.core.config import settings  # noqa
 
 target_metadata = SQLModel.metadata

backend/app/alembic/versions/832f5763b245_add_owasp_demo_tables.py

@@ -0,0 +1,57 @@
+"""add_owasp_demo_tables
+
+Revision ID: 832f5763b245
+Revises: d19595e777a0
+Create Date: 2025-12-14 13:28:50.376252
+
+"""
+from alembic import op
+import sqlalchemy as sa
+import sqlmodel.sql.sqltypes
+
+
+# revision identifiers, used by Alembic.
+revision = '832f5763b245'
+down_revision = 'd19595e777a0'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('audit_log',
+    sa.Column('id', sa.Uuid(), nullable=False),
+    sa.Column('action', sqlmodel.sql.sqltypes.AutoString(length=100), nullable=False),
+    sa.Column('user_id', sa.Uuid(), nullable=True),
+    sa.Column('details', sqlmodel.sql.sqltypes.AutoString(length=5000), nullable=True),
+    sa.Column('ip_address', sqlmodel.sql.sqltypes.AutoString(length=45), nullable=True),
+    sa.Column('timestamp', sa.DateTime(), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_table('secret_document',
+    sa.Column('id', sa.Uuid(), nullable=False),
+    sa.Column('title', sqlmodel.sql.sqltypes.AutoString(length=255), nullable=False),
+    sa.Column('content', sqlmodel.sql.sqltypes.AutoString(length=10000), nullable=False),
+    sa.Column('classification', sqlmodel.sql.sqltypes.AutoString(length=50), nullable=False),
+    sa.Column('owner_id', sa.Uuid(), nullable=False),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.ForeignKeyConstraint(['owner_id'], ['user.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_table('user_note',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('title', sqlmodel.sql.sqltypes.AutoString(length=255), nullable=False),
+    sa.Column('content', sqlmodel.sql.sqltypes.AutoString(length=5000), nullable=False),
+    sa.Column('owner_id', sa.Uuid(), nullable=False),
+    sa.ForeignKeyConstraint(['owner_id'], ['user.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('user_note')
+    op.drop_table('secret_document')
+    op.drop_table('audit_log')
+    # ### end Alembic commands ###

backend/app/api/router.py

@@ -3,6 +3,7 @@
 from app.core.config import settings
 from app.modules.auth.routes import router as auth_router
 from app.modules.items.routes import router as items_router
+from app.modules.owasp_demo.routes import router as owasp_demo_router
 from app.modules.private.routes import router as private_router
 from app.modules.shortener.routes import router as shortener_router
 from app.modules.users.routes import router as users_router
@@ -20,3 +21,6 @@
 # Include private routes only in local environment
 if settings.ENVIRONMENT == "local":
     api_router.include_router(private_router)
+
+    # OWASP Top 10 Demo - Educational module (local environment only)
+    api_router.include_router(owasp_demo_router)

backend/app/modules/items/routes.py

@@ -3,9 +3,9 @@
 
 from fastapi import APIRouter
 
-from app.modules.shared import CurrentUser, Message, SessionDep
 from app.modules.items.schemas import ItemCreate, ItemPublic, ItemsPublic, ItemUpdate
 from app.modules.items.service import ItemService
+from app.modules.shared import CurrentUser, Message, SessionDep
 
 router = APIRouter(prefix="/items", tags=["items"])
 

backend/app/modules/owasp_demo/__init__.py

@@ -0,0 +1,21 @@
+"""
+OWASP Top 10 2025 Vulnerability Demonstration Module
+
+This module provides educational examples of common security vulnerabilities
+based on the OWASP Top 10 2025 Release Candidate.
+
+WARNING: These endpoints are intentionally vulnerable for educational purposes.
+DO NOT deploy this module in production environments.
+
+OWASP Top 10 2025 RC:
+- A01:2025 - Broken Access Control
+- A02:2025 - Security Misconfiguration
+- A03:2025 - Software Supply Chain Failures
+- A04:2025 - Cryptographic Failures
+- A05:2025 - Injection
+- A06:2025 - Insecure Design
+- A07:2025 - Authentication Failures
+- A08:2025 - Software or Data Integrity Failures
+- A09:2025 - Security Logging and Alerting Failures
+- A10:2025 - Mishandling of Exceptional Conditions
+"""

backend/app/modules/owasp_demo/models.py

@@ -0,0 +1,56 @@
+"""
+Models for OWASP demonstration module.
+"""
+import uuid
+from datetime import datetime
+from typing import TYPE_CHECKING, Optional
+
+from sqlmodel import Field, Relationship, SQLModel
+
+if TYPE_CHECKING:
+    from app.modules.users.models import User
+
+
+class SecretDocument(SQLModel, table=True):
+    """
+    Secret document model - used to demonstrate access control vulnerabilities.
+    """
+
+    __tablename__ = "secret_document"
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    title: str = Field(max_length=255)
+    content: str = Field(max_length=10000)
+    classification: str = Field(default="public", max_length=50)  # public, internal, confidential, secret
+    owner_id: uuid.UUID = Field(foreign_key="user.id", nullable=False, ondelete="CASCADE")
+    owner: Optional["User"] = Relationship()
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+
+
+class UserNote(SQLModel, table=True):
+    """
+    User notes - used to demonstrate IDOR vulnerabilities.
+    """
+
+    __tablename__ = "user_note"
+
+    id: int = Field(default=None, primary_key=True)  # Sequential ID for IDOR demo
+    title: str = Field(max_length=255)
+    content: str = Field(max_length=5000)
+    owner_id: uuid.UUID = Field(foreign_key="user.id", nullable=False, ondelete="CASCADE")
+    owner: Optional["User"] = Relationship()
+
+
+class AuditLog(SQLModel, table=True):
+    """
+    Audit log for demonstrating logging vulnerabilities.
+    """
+
+    __tablename__ = "audit_log"
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    action: str = Field(max_length=100)
+    user_id: uuid.UUID | None = Field(default=None)
+    details: str | None = Field(default=None, max_length=5000)
+    ip_address: str | None = Field(default=None, max_length=45)
+    timestamp: datetime = Field(default_factory=datetime.utcnow)