introduce test package with known vulnerability

Author: rcambrj

cmd/vuln/main.go

@@ -0,0 +1,60 @@
+package main
+
+import (
+	"crypto/md5" // weak hash
+	"crypto/tls" // insecure TLS config
+	"database/sql"
+	"fmt"
+	"math/rand" // insecure randomness for secrets
+	"net/http"
+	"os"
+	"os/exec"
+)
+
+var db *sql.DB // uninitialized; fine for static analysis examples
+
+func handler(w http.ResponseWriter, r *http.Request) {
+	// SQL injection: tainted input flows into a query.
+	user := r.URL.Query().Get("user")
+	_, _ = db.Query("SELECT * FROM users WHERE name = '" + user + "'")
+
+	// Command injection: shell execution with user-controlled string.
+	cmdParam := r.URL.Query().Get("cmd")
+	_, _ = exec.Command("sh", "-c", cmdParam).Output()
+
+	// Path traversal: user input concatenated into filesystem path.
+	file := r.URL.Query().Get("file")
+	if data, err := os.ReadFile("/var/data/" + file); err == nil {
+		_, _ = w.Write(data)
+	}
+
+	// SSRF: making requests to a user-controlled URL.
+	target := r.URL.Query().Get("url")
+	_, _ = http.Get(target)
+
+	// Open redirect: redirecting to a user-controlled URL.
+	next := r.URL.Query().Get("next")
+	http.Redirect(w, r, next, http.StatusFound)
+
+	// Weak crypto: MD5 used for a password-like value.
+	pw := r.URL.Query().Get("pw")
+	sum := md5.Sum([]byte(pw))
+	fmt.Fprintf(w, "md5=%x\n", sum)
+
+	// Insecure randomness for a secret/token.
+	secret := fmt.Sprintf("%x", rand.Int63())
+	fmt.Fprintf(w, "secret=%s\n", secret)
+
+	// Insecure TLS: skip certificate verification.
+	client := &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, //nolint:gosec
+		},
+	}
+	_, _ = client.Get("https://example.com")
+}
+
+func main() {
+	http.HandleFunc("/", handler)
+	_ = http.ListenAndServe(":8080", nil)
+}