Intentionally vulnerable code for CodeQL to find, don't merge

Author: aulme

src/main/java/com/uid2/operator/service/InputUtil.java

@@ -5,6 +5,14 @@
 import com.uid2.operator.model.UserIdentity;
 
 import java.time.Instant;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.Statement;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.List;
 
 public class InputUtil {
 
@@ -272,4 +280,40 @@ public UserIdentity toUserIdentity(IdentityScope identityScope, int privacyBits,
         }
     }
 
+    // VULNERABILITY: SQL Injection - for CodeQL testing purposes only
+    // This method is intentionally vulnerable to demonstrate SQL injection detection
+    public static List<String> validateUserInput(String userQuery) {
+        List<String> results = new ArrayList<>();
+        try {
+            Connection conn = DriverManager.getConnection("jdbc:h2:mem:testdb");
+            Statement stmt = conn.createStatement();
+            
+            // VULNERABILITY: Direct string concatenation creates SQL injection risk
+            String sql = "SELECT username FROM users WHERE email = '" + userQuery + "'";
+            
+            ResultSet rs = stmt.executeQuery(sql);
+            while (rs.next()) {
+                results.add(rs.getString("username"));
+            }
+            stmt.close();
+            conn.close();
+        } catch (Exception e) {
+            // VULNERABILITY: Potentially leaking database error information
+            throw new RuntimeException("Database query failed: " + e.getMessage());
+        }
+        return results;
+    }
+
+    // VULNERABILITY: Path Traversal - for CodeQL testing purposes only
+    // This method is intentionally vulnerable to demonstrate directory traversal detection
+    public static String readConfigFile(String filename) {
+        try {
+            // VULNERABILITY: No validation allows directory traversal with ../
+            String content = Files.readString(Paths.get("/config/" + filename));
+            return content;
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to read config file: " + filename);
+        }
+    }
+
 }

src/main/java/com/uid2/operator/service/ResponseUtil.java

@@ -169,6 +169,28 @@ private static String ComposeMessage(String status, int statusCode, String messa
         return "Response to http request. " + msgJsonObject.encode();
     }
 
+    // VULNERABILITY: Cross-Site Scripting (XSS) - for CodeQL testing purposes only
+    // This method is intentionally vulnerable to demonstrate XSS detection
+    public static void SendHtmlResponse(RoutingContext rc, String userInput) {
+        // VULNERABILITY: User input directly embedded in HTML without sanitization
+        String htmlContent = "<html><body><h1>Welcome " + userInput + "</h1>" +
+                            "<p>Your search query: " + userInput + "</p></body></html>";
+        
+        rc.response()
+            .putHeader(HttpHeaders.CONTENT_TYPE, "text/html")
+            .end(htmlContent);
+    }
+
+    // VULNERABILITY: Additional XSS in JSON response - for CodeQL testing purposes only
+    public static void SendUnsafeJsonResponse(RoutingContext rc, String userMessage) {
+        // VULNERABILITY: Unescaped user input in JSON response that could be rendered as HTML
+        String jsonResponse = "{\"status\":\"success\",\"message\":\"<script>alert('" + userMessage + "')</script>\"}";
+        
+        rc.response()
+            .putHeader(HttpHeaders.CONTENT_TYPE, "application/json")
+            .end(jsonResponse);
+    }
+
     public static class ResponseStatus {
         public static final String Success = "success";
         public static final String Unauthorized = "unauthorized";