Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 10 additions & 24 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,31 +1,17 @@
<p align="center">
<img src="https://deepsource.io/images/logo-wordmark-dark.svg" />
</p>
MyApp
=====

<p align="center">
<a href="https://deepsource.io/docs/">Documentation</a> |
<a href="https://deepsource.io/signup/">Get Started</a> |
<a href="https://discuss.deepsource.io/">Discuss</a>
</p>

<p align="center">
DeepSource helps you ship good quality code.
</p>

</p>

---

# Demo repository - Python

This repository demonstrates sample issues in Python code raised by DeepSource.
A lightweight Python service example. The source lives under `src/app` and includes a small CLI.

[![DeepSource](https://deepsource.io/gh/deepsourcelabs/demo-python.svg/?label=active+issues&show_trend=true)](https://deepsource.io/gh/deepsourcelabs/demo-python/?ref=repository-badge)
This repository is intended to be a simple starting point for contributors.

### Report
Run the CLI:

[https://deepsource.io/gh/deepsourcelabs/demo-python/issues/](https://deepsource.io/gh/deepsourcelabs/demo-python/issues/)
```bash
python -m src.app.main
```

### Documentation

[https://deepsource.io/docs/analyzer/python.html](https://deepsource.io/docs/analyzer/python.html)
License: MIT
---
138 changes: 0 additions & 138 deletions demo_code.py

This file was deleted.

19 changes: 0 additions & 19 deletions duplicate_bases_class.py

This file was deleted.

129 changes: 0 additions & 129 deletions hello.py

This file was deleted.

17 changes: 17 additions & 0 deletions poc.py
Original file line number Diff line number Diff line change
@@ -1,3 +1,20 @@
import os

x = list(range(10))
import time

# Introduce issues: busy wait, unused imports, and insecure temp file usage

def busy_wait(seconds):
start = time.time()
while time.time() - start < seconds:
pass # busy wait

def create_temp_file():
fname = '/tmp/poc_temp.txt'

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Variable fname with hardcoded path used for temp file in create_temp_file()

The variable fname is assigned a hardcoded path '/tmp/poc_temp.txt' on line 14 within create_temp_file(). This insecure practice risks file hijacking by attackers who can predict and create malicious files at that path. Use tempfile.TemporaryFile() to generate secure, unpredictable temporary files and ensure proper cleanup.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Variable fname uses hardcoded path in create_temp_file() causing security risks

The variable fname is assigned the hardcoded path '/tmp/poc_temp.txt' on line 14 within the create_temp_file() function, where it is opened for writing and not properly closed. This insecure practice allows attackers to predict and potentially hijack the temporary file, risking data corruption or malicious file execution. Use the tempfile.TemporaryFile() function to create secure, unpredictable temporary files that automatically clean up after use.

f = open(fname, 'w')
f.write('temp')
return fname # file not closed properly

def insecure_op():
os.system('echo vulnerable') # command injection risk if extended

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use of partial executable path in os.system() call in insecure_op() function

The os.system() function is invoked with a partial command string on line 20 inside insecure_op(). Using partial paths or commands risks executing unintended programs if PATH is manipulated, creating a security vulnerability. Replace with fully qualified executable paths or use safer modules like subprocess.run() with absolute paths to mitigate risk.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use of partial executable path in os.system() call at line 20 risks security breach

The call to os.system() at line 20 uses a partial executable path with the command string echo vulnerable. Invoking external executables without fully qualified paths can let attackers insert malicious executables via PATH manipulation, risking privilege escalation or unauthorized actions. Replace such calls with the full absolute path to the executable or use safer libraries like subprocess.run() with explicit paths to prevent exploitation.

3 changes: 3 additions & 0 deletions requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
# Minimal requirements
# pinned to an old known-vulnerable version for testing
requests==2.18.4
2 changes: 2 additions & 0 deletions src/app/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# src/app package
__version__ = "0.1.0"
Loading
Loading