Security fixes: add app_good.py, requirements, tests, README; move to…

[smelllikesmoke]

Suggested PR title

Secure rewrite: add app_good.py, good.db, tests, and README; fix vulnerable endpoints

Suggested PR description

• Summary

  • Replace insecure demo with a hardened Flask app (app_good.py) using good.db.
  • Fixes across auth, IDOR, SQLi, XSS, CSRF, open redirect, file upload, XML, command injection, unsafe deserialization, eval, and signature verification.

• Changes

  • New: app_good.py, requirements.txt, test_endpoints.py
  • Updated: README.md with setup/run/test instructions
  • DB: auto-initialized good.db with bcrypt-hashed users (alice admin, bob user)
  • Added logging in test script; safe redirect and CSRF token checks

• Security hardening highlights

  • Parameterized SQL for auth and /users/find
  • Session-based auth; removed client-controlled flags
  • Ownership checks in /auth/idor
  • Escaped HTML in /xss
  • CSRF required for /bank/transfer via X-CSRF-Token
  • Open redirects restricted to internal paths
  • File uploads: secure_filename, extension allowlist, size limits
  • XML parsing via defusedxml
  • subprocess.run([...], shell=False) for ping
  • JSON-only alternative to pickle
  • No eval; tiny integer-only evaluator
  • HMAC-SHA256 with compare_digest for /sig/verify
  • Debug disabled in production

• How to run

  • Python 3.10+; create venv
  • Install: pip install -r requirements.txt
  • Run app: python app_good.py
  • If login fails after crypto changes: delete good.db and restart

• Tests

  • Start server, then: python test_endpoints.py
  • Logs show step-by-step verification; ends with “All endpoint smoke tests passed.”

• Notes

  • Env vars: SECRET_KEY, HMAC_SECRET, BASE_URL (optional for tests)
  • Do not enable Flask debug in production

• Checklist

  • Secure endpoints implemented
  • DB renamed to good.db
  • Requirements pinned (passlib[bcrypt]==1.7.4, bcrypt==3.2.2)
  • Tests pass locally
  • README updated

Repo: https://github.com/saad22598/secure-coding