From 73638f9df1bf9c6d74c7d45978018a0ce22cbe23 Mon Sep 17 00:00:00 2001
From: "bruno.silva" <bruno.silva@usercentrics-ext.com>
Date: Wed, 25 Feb 2026 14:43:29 +0000
Subject: [PATCH] vulnerabilities to test apiiro

---
 .apiiro-test/README.md             | 18 ++++++++++++++++
 .apiiro-test/vulnerabilities.kt    |  8 +++++++
 .apiiro-test/vulnerabilities.swift |  8 +++++++
 .apiiro-test/vulnerabilities.ts    | 34 ++++++++++++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 .apiiro-test/README.md
 create mode 100644 .apiiro-test/vulnerabilities.kt
 create mode 100644 .apiiro-test/vulnerabilities.swift
 create mode 100644 .apiiro-test/vulnerabilities.ts

diff --git a/.apiiro-test/README.md b/.apiiro-test/README.md
new file mode 100644
index 0000000..b68ddc3
--- /dev/null
+++ b/.apiiro-test/README.md
@@ -0,0 +1,18 @@
+# APIIRO Security Scanner Test Fixtures
+
+**⚠️ DO NOT MERGE TO PRODUCTION**
+
+This folder contains intentionally vulnerable code for testing APIIRO security scanning.
+
+| Severity | Vulnerability Type | File |
+|----------|-------------------|------|
+| **HIGH** | Hardcoded secrets/API keys | All |
+| **HIGH** | SQL Injection | All |
+| **HIGH** | eval() with user input | vulnerabilities.ts |
+| **MEDIUM** | Insecure random (Math.random) | vulnerabilities.ts |
+| **MEDIUM** | Sensitive data in logs | All |
+| **LOW** | Weak password validation | All |
+| **LOW** | Insecure HTTP URL | vulnerabilities.ts |
+| **LOW** | TODO/FIXME in code | vulnerabilities.ts |
+
+Remove this folder before releasing to production.
diff --git a/.apiiro-test/vulnerabilities.kt b/.apiiro-test/vulnerabilities.kt
new file mode 100644
index 0000000..81269f3
--- /dev/null
+++ b/.apiiro-test/vulnerabilities.kt
@@ -0,0 +1,8 @@
+/**
+ * INTENTIONAL VULNERABILITIES FOR APIIRO TESTING
+ * DO NOT use in production. Remove before release.
+ */
+const val HARDCODED_SECRET = "sk_live_abc123xyz789secretkey"
+fun sqlInjectionVulnerable(userInput: String) = "SELECT * FROM users WHERE id = '$userInput'"
+fun debugWithSensitiveData(password: String) { android.util.Log.d("Auth", "Password: $password") }
+fun weakPasswordCheck(password: String) = password.length >= 4
diff --git a/.apiiro-test/vulnerabilities.swift b/.apiiro-test/vulnerabilities.swift
new file mode 100644
index 0000000..06b738a
--- /dev/null
+++ b/.apiiro-test/vulnerabilities.swift
@@ -0,0 +1,8 @@
+/**
+ * INTENTIONAL VULNERABILITIES FOR APIIRO TESTING
+ * DO NOT use in production. Remove before release.
+ */
+let hardcodedSecret = "sk_live_abc123xyz789secretkey"
+func sqlInjectionVulnerable(userInput: String) -> String { "SELECT * FROM users WHERE id = '\(userInput)'" }
+func debugWithSensitiveData(password: String) { print("User password: \(password)") }
+func weakPasswordCheck(password: String) -> Bool { password.count >= 4 }
diff --git a/.apiiro-test/vulnerabilities.ts b/.apiiro-test/vulnerabilities.ts
new file mode 100644
index 0000000..9b90b02
--- /dev/null
+++ b/.apiiro-test/vulnerabilities.ts
@@ -0,0 +1,34 @@
+/**
+ * INTENTIONAL VULNERABILITIES FOR APIIRO TESTING
+ * DO NOT use in production. Remove before release.
+ */
+
+// ============ HIGH SEVERITY ============
+export const HARDCODED_SECRET = 'sk_live_abc123xyz789secretkey';
+export const API_KEY = 'AIzaSyB1234567890abcdefghijklmnop';
+
+export function sqlInjectionVulnerable(userInput: string): string {
+  return `SELECT * FROM users WHERE id = '${userInput}'`;
+}
+
+export function evalVulnerable(userInput: string): unknown {
+  return eval(userInput);
+}
+
+// ============ MEDIUM SEVERITY ============
+export function insecureRandomToken(): string {
+  return Math.random().toString(36).substring(2);
+}
+
+export function debugWithSensitiveData(user: { password: string }) {
+  console.log('User auth:', user);
+}
+
+// ============ LOW SEVERITY ============
+// TODO: Security fix needed
+// FIXME: Add validation
+export function weakPasswordCheck(password: string): boolean {
+  return password.length >= 4;
+}
+
+export const INSECURE_URL = 'http://api.example.com/data';