From 2cd17d5a3bdfd8fcdf7e8fa5fea17ffc6032fef8 Mon Sep 17 00:00:00 2001
From: Jared Wadsworth <jaredwads@gmail.com>
Date: Sat, 31 Jan 2026 17:42:23 -0700
Subject: [PATCH] Add app with some issues

---
 app.py | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 app.py

diff --git a/app.py b/app.py
new file mode 100644
index 0000000..072307b
--- /dev/null
+++ b/app.py
@@ -0,0 +1,22 @@
+# A simple app with some issues for Heimdall to find
+
+import os
+import subprocess
+
+def get_user_input():
+    query = input("Enter search: ")
+    # SQL injection vulnerability
+    result = db.execute(f"SELECT * FROM users WHERE name = '{query}'")
+    return result
+
+def run_command(cmd):
+    # Command injection vulnerability  
+    subprocess.call(cmd, shell=True)
+
+# Hardcoded secret
+API_KEY = "sk-1234567890abcdef"
+
+def fetch_data():
+    # No error handling
+    response = requests.get(f"https://api.example.com?key={API_KEY}")
+    return response.json()