From a6bd4efd671beb0767b1e1c1642294a02ebba719 Mon Sep 17 00:00:00 2001
From: Preeti Jatti <jattipre@amazon.com>
Date: Mon, 12 Jan 2026 16:15:56 +0530
Subject: [PATCH] Add sample cases for python-incorrect_authorization

---
 .../incorrect_authorization.py                | 33 +++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 src/python/detectors/incorrect_authorization/incorrect_authorization.py

diff --git a/src/python/detectors/incorrect_authorization/incorrect_authorization.py b/src/python/detectors/incorrect_authorization/incorrect_authorization.py
new file mode 100644
index 0000000..339d465
--- /dev/null
+++ b/src/python/detectors/incorrect_authorization/incorrect_authorization.py
@@ -0,0 +1,33 @@
+#  Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#  SPDX-License-Identifier: Apache-2.0
+
+from flask import Flask, request, abort, session
+
+app = Flask(__name__)
+app.secret_key = 'some_secret_key'
+
+def perform_sensitive_operation():
+    pass
+
+# {fact rule=incorrect-authorization@v1.0 defects=1}
+@app.route('/noncompliant')
+def incorrect_authorization_noncompliant():
+    # Noncompliant: Authorization is based on a cookie, which can be easily manipulated by an anonymous user.
+    role = request.cookies.get('role')
+    if role == 'Admin':
+        perform_sensitive_operation()
+    return "Operation completed"
+# {/fact}
+
+
+# {fact rule=incorrect-authorization@v1.0 defects=0}
+@app.route('/compliant')
+def incorrect_authorization_compliant():
+    role = session.get('role')
+    # Compliant: Authorization is based on the user session, which is safer.
+    if role == 'Admin':
+        perform_sensitive_operation()
+    else:
+        abort(403, "Not authorized")
+    return "Sensitive operation performed"
+# {/fact}