Initial commit

src/security_demo/services/__init__.py

@@ -0,0 +1 @@
+"""Services module with additional patterns."""

src/security_demo/services/auth.py

@@ -0,0 +1,39 @@
+"""Authentication service - streamlined version."""
+
+import hashlib
+import hmac
+import secrets
+from typing import Optional
+
+
+class AuthenticationService:
+    """Handle user authentication."""
+
+    # TP: Hardcoded JWT secret
+    JWT_SECRET = "hardcoded_jwt_secret_key_2024"
+
+    # FP: Default for development only
+    DEV_SECRET = "development_only_not_production"
+
+    def hash_password_insecure(self, password: str) -> str:
+        """TP: MD5 for password hashing."""
+        return hashlib.md5(password.encode()).hexdigest()
+
+    def generate_token_secure(self, user_id: int) -> str:
+        """FP: Secrets module for token generation."""
+        token = secrets.token_urlsafe(32)
+        return f"{user_id}:{token}"
+
+    def verify_webhook_signature(self, payload: bytes, signature: str) -> bool:
+        """FP: HMAC verification is secure."""
+        expected = hmac.new(
+            self.JWT_SECRET.encode(), payload, hashlib.sha256
+        ).hexdigest()
+        return hmac.compare_digest(expected, signature)
+
+    def verify_webhook_insecure(self, payload: bytes, signature: str) -> bool:
+        """TP: Using == for signature comparison (timing attack)."""
+        expected = hmac.new(
+            self.JWT_SECRET.encode(), payload, hashlib.sha256
+        ).hexdigest()
+        return expected == signature  # Timing attack vulnerable!

src/security_demo/services/files.py

@@ -0,0 +1,42 @@
+"""File handling service - streamlined version."""
+
+import os
+import pickle
+import tempfile
+from typing import Any
+import yaml
+
+
+class FileService:
+    """Handle file operations."""
+
+    def load_pickle_user_path(self, filepath: str) -> Any:
+        """TP: Pickle from user-controlled path."""
+        with open(filepath, "rb") as f:
+            return pickle.load(f)
+
+    def load_pickle_fixed_path(self) -> Any:
+        """FP: Pickle from known internal path."""
+        with open("/etc/app/cache.pkl", "rb") as f:
+            return pickle.load(f)
+
+    def save_temp_insecure(self, data: bytes) -> str:
+        """TP: Predictable temp file."""
+        filepath = f"/tmp/data_{os.getpid()}.dat"
+        with open(filepath, "wb") as f:
+            f.write(data)
+        return filepath
+
+    def save_temp_secure(self, data: bytes) -> str:
+        """FP: Secure temp file creation."""
+        with tempfile.NamedTemporaryFile(delete=False) as f:
+            f.write(data)
+            return f.name
+
+    def load_yaml_unsafe(self, yaml_string: str) -> Any:
+        """TP: Unsafe YAML loader."""
+        return yaml.load(yaml_string, Loader=yaml.Loader)
+
+    def load_yaml_safe(self, yaml_string: str) -> Any:
+        """FP: SafeLoader is secure."""
+        return yaml.safe_load(yaml_string)