From 2cd17d5a3bdfd8fcdf7e8fa5fea17ffc6032fef8 Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:42:23 -0700 Subject: [PATCH 01/10] Add app with some issues --- app.py | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 app.py diff --git a/app.py b/app.py new file mode 100644 index 0000000..072307b --- /dev/null +++ b/app.py @@ -0,0 +1,22 @@ +# A simple app with some issues for Heimdall to find + +import os +import subprocess + +def get_user_input(): + query = input("Enter search: ") + # SQL injection vulnerability + result = db.execute(f"SELECT * FROM users WHERE name = '{query}'") + return result + +def run_command(cmd): + # Command injection vulnerability + subprocess.call(cmd, shell=True) + +# Hardcoded secret +API_KEY = "sk-1234567890abcdef" + +def fetch_data(): + # No error handling + response = requests.get(f"https://api.example.com?key={API_KEY}") + return response.json() -- 2.49.1 From 298334402e0d28755f210c8e90d77a448dd8c03b Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:44:04 -0700 Subject: [PATCH 02/10] Add more code --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index 072307b..b593117 100644 --- a/app.py +++ b/app.py @@ -20,3 +20,4 @@ def fetch_data(): # No error handling response = requests.get(f"https://api.example.com?key={API_KEY}") return response.json() +# More code -- 2.49.1 From 144d5362aa7e01b14f54a5902f48b34c46466849 Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:45:17 -0700 Subject: [PATCH 03/10] Trigger review again --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index b593117..a51fa05 100644 --- a/app.py +++ b/app.py @@ -21,3 +21,4 @@ def fetch_data(): response = requests.get(f"https://api.example.com?key={API_KEY}") return response.json() # More code +# Even more -- 2.49.1 From 1eae75912e90038dd72507825bc76bf9c0d1509f Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:46:09 -0700 Subject: [PATCH 04/10] Debug worker --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index a51fa05..2e106f0 100644 --- a/app.py +++ b/app.py @@ -22,3 +22,4 @@ def fetch_data(): return response.json() # More code # Even more +# debug2 -- 2.49.1 From 574f1b9635fb2aa92a1fe2541471ea614e1868c8 Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:46:45 -0700 Subject: [PATCH 05/10] Test fg --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index 2e106f0..ebb7599 100644 --- a/app.py +++ b/app.py @@ -23,3 +23,4 @@ def fetch_data(): # More code # Even more # debug2 +# foreground test -- 2.49.1 From 8d9ca63a8af9fbc2443f3f8e67e1e77ed4763546 Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:48:00 -0700 Subject: [PATCH 06/10] Actual test --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index ebb7599..2ba2158 100644 --- a/app.py +++ b/app.py @@ -24,3 +24,4 @@ def fetch_data(): # Even more # debug2 # foreground test +# actual test -- 2.49.1 From 568f03413c9844e9d0494ab25df4d0d3bfa1672b Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:49:36 -0700 Subject: [PATCH 07/10] Retry --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index 2ba2158..886c28b 100644 --- a/app.py +++ b/app.py @@ -25,3 +25,4 @@ def fetch_data(): # debug2 # foreground test # actual test +# retry -- 2.49.1 From 46562f376eef8b72fac9bbdc9b22ea8f962e726f Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:50:51 -0700 Subject: [PATCH 08/10] Fixed clone --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index 886c28b..acbe3f6 100644 --- a/app.py +++ b/app.py @@ -26,3 +26,4 @@ def fetch_data(): # foreground test # actual test # retry +# fixed clone -- 2.49.1 From c30ebfb49f1e65b33500d49550f861b082c10235 Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:53:01 -0700 Subject: [PATCH 09/10] Deepen test --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index acbe3f6..0f5cc36 100644 --- a/app.py +++ b/app.py @@ -27,3 +27,4 @@ def fetch_data(): # actual test # retry # fixed clone +# deepen test -- 2.49.1 From 833eb9f8649fdc88f496daf44f682184626945d6 Mon Sep 17 00:00:00 2001 From: Jared Wadsworth Date: Sat, 31 Jan 2026 17:54:55 -0700 Subject: [PATCH 10/10] Full clone --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index 0f5cc36..0d0c24d 100644 --- a/app.py +++ b/app.py @@ -28,3 +28,4 @@ def fetch_data(): # retry # fixed clone # deepen test +# full clone -- 2.49.1