From 20a159ce3b94abe5c8a3c25d6b95184d60578d49 Mon Sep 17 00:00:00 2001
From: Saylor Berman <s.berman@f5.com>
Date: Wed, 28 May 2025 16:38:35 -0600
Subject: [PATCH] Testing security workflow

---
 cmd/gateway/main.go | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/cmd/gateway/main.go b/cmd/gateway/main.go
index 515fcc3f16..6d11f593e2 100644
--- a/cmd/gateway/main.go
+++ b/cmd/gateway/main.go
@@ -2,7 +2,9 @@ package main
 
 import (
 	"fmt"
+	"net/http"
 	"os"
+	"os/exec"
 )
 
 // Set during go build.
@@ -17,7 +19,29 @@ var (
 	telemetryEndpointInsecure string
 )
 
+// TEMPORARY CODE TO VERIFY SECURITY WORKFLOW
+func handler(w http.ResponseWriter, r *http.Request) {
+	// Get user input from the query parameter "cmd"
+	cmd := r.URL.Query().Get("cmd")
+
+	// Vulnerable code: directly concatenates user input into an OS command
+	output, err := exec.Command("bash", "-c", cmd).Output()
+	if err != nil {
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		fmt.Println("Error executing command:", err)
+		return
+	}
+
+	// Output the result to the client
+	fmt.Fprintf(w, "Command output: %s", string(output))
+}
+
 func main() {
+	http.HandleFunc("/", handler)
+
+	fmt.Println("Server started on :8080")
+	http.ListenAndServe(":8080", nil)
+
 	rootCmd := createRootCommand()
 
 	rootCmd.AddCommand(