Testing security workflow

Author: sjberman

cmd/gateway/main.go

@@ -2,7 +2,9 @@ package main
 
 import (
 	"fmt"
+	"net/http"
 	"os"
+	"os/exec"
 )
 
 // Set during go build.
@@ -17,7 +19,29 @@ var (
 	telemetryEndpointInsecure string
 )
 
+// TEMPORARY CODE TO VERIFY SECURITY WORKFLOW
+func handler(w http.ResponseWriter, r *http.Request) {
+	// Get user input from the query parameter "cmd"
+	cmd := r.URL.Query().Get("cmd")
+
+	// Vulnerable code: directly concatenates user input into an OS command
+	output, err := exec.Command("bash", "-c", cmd).Output()
+	if err != nil {
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		fmt.Println("Error executing command:", err)
+		return
+	}
+
+	// Output the result to the client
+	fmt.Fprintf(w, "Command output: %s", string(output))
+}
+
 func main() {
+	http.HandleFunc("/", handler)
+
+	fmt.Println("Server started on :8080")
+	http.ListenAndServe(":8080", nil)
+
 	rootCmd := createRootCommand()
 
 	rootCmd.AddCommand(