From 327376232deface844e5621fe0cfff665d5e9d43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?B=C3=A1lint=20Bokros?= <balint.bokros@avatao.com>
Date: Mon, 27 Nov 2017 18:49:39 +0100
Subject: [PATCH] Create prepared vulnerable code

---
 src/components/login_component.py |  27 +++++++++++++++++++++++++++
 src/components/tutorialpoc.db     | Bin 0 -> 16384 bytes
 2 files changed, 27 insertions(+)
 create mode 100644 src/components/login_component.py
 create mode 100644 src/components/tutorialpoc.db

diff --git a/src/components/login_component.py b/src/components/login_component.py
new file mode 100644
index 0000000..d8e37d1
--- /dev/null
+++ b/src/components/login_component.py
@@ -0,0 +1,27 @@
+import sqlite3
+
+
+def get_db():
+    return sqlite3.connect('tutorialpoc.db')
+
+
+def authorize_login(email, password):
+    """
+    This method checks if a user is authorized and has admin privileges.
+    :param email: The email address of the user.
+    :param password: The password of the user.
+    :return: A tuple, the first element is the email address if the user exists,
+    and None if they don't; the second element is a boolean, which is True if
+    the user has admin privileges.
+    """
+    conn = get_db()
+    sql_statement = '''SELECT email, is_admin FROM users
+                       WHERE email="{}" AND password="{}"'''
+    # The problem with this approach is that it substitutes any value received
+    # from the user, even if it is a valid SQL statement!
+    result = conn.execute(sql_statement.format(email, password)).fetchone()
+    if result is None:
+        return None, False
+    else:
+        email, is_admin = result
+        return email, is_admin == 1
diff --git a/src/components/tutorialpoc.db b/src/components/tutorialpoc.db
new file mode 100644
index 0000000000000000000000000000000000000000..cde24ab8ce11ba9fa09b780a92d9c80f7f8c04b2
GIT binary patch
literal 16384
zcmeI(zfRjg90%|_oBtBM4i#><lURsApei&>NHLa^nm9H%m(WbsK@Q1M97CK4*7iyI
z3f*`FmOeorp>w5<y|^T8gQ|{ItM5;~fA;Te-DmSzZk_tcNb$>Tn930^lc$7IQstZw
zV(7A<%QUF&%#Wwne%Bgg_xb%g`%26w9|$wqN8KPG009U<00Izz00bZa0SG_<0)G}b
zF_*0EZQ32l^S;Wj`}*xQ&eio;4KC(~3r^(P!sWs~@?AccyETxh+R-yhZ|ii~vMl;8
zE$%ta)i5tA<CpoxDZaJFA0p|++zW(TcO!lhc}+X&@`l^xc3XsApr<z7K<v!YRVtG{
z@7R&^+KzZT@J`z<4?@9%w(tK)yOMc+lMQ>b%*QE79?M>u45m+?J)%@HmaIdIl4Q_R
zw-4);<55<O<6;5v%c3zg^vVQ#T^EDBC+tpF2nav`0uX=z1Rwwb2tWV=5P$##{))hc
zu}C&wtXyVU^;`~jFS1m3b+1Mj$zHlzYy?!*txT`_YI3#Z9o7A2=pA@^_dz)O$H%R(
z5jM_5Gjd$V@0^tnI+gv(8&Rv&UfGrMnqHN`J`wg=R|p6|00Izz00bZa0SG_<0uX=z
z1pYMvW^U4-_6>|@=HBD|g30%P%DxbNARqt%2tWV=5P$##AOHafKmY;|_@4w;scF&g
Hzc_pYU}u|_

literal 0
HcmV?d00001