PyPI - patchops - Versions diffs - 1.0.0__tar.gz - Mend

patchops 1.0.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

patchops-1.0.0/MANIFEST.in ADDED Viewed

@@ -0,0 +1,4 @@
+recursive-include frontend *
+recursive-include lambdas *
+recursive-include PatchOps-Target *
+include pipeline_api.py

patchops-1.0.0/PKG-INFO ADDED Viewed

@@ -0,0 +1,17 @@
+Metadata-Version: 2.4
+Name: patchops
+Version: 1.0.0
+Requires-Python: >=3.9
+Requires-Dist: click
+Requires-Dist: fastapi
+Requires-Dist: uvicorn
+Requires-Dist: sse-starlette
+Requires-Dist: groq
+Requires-Dist: requests
+Requires-Dist: PyGithub
+Requires-Dist: python-dotenv
+Requires-Dist: httpx
+Requires-Dist: flask
+Requires-Dist: gitpython
+Dynamic: requires-dist
+Dynamic: requires-python

patchops-1.0.0/PatchOps-Target/__pycache__/auth.cpython-311.pyc ADDED Viewed

Binary file

patchops-1.0.0/PatchOps-Target/__pycache__/config.cpython-311.pyc ADDED Viewed

Binary file

patchops-1.0.0/PatchOps-Target/__pycache__/db_utils.cpython-311.pyc ADDED Viewed

Binary file

patchops-1.0.0/PatchOps-Target/__pycache__/init_db.cpython-311.pyc ADDED Viewed

Binary file

patchops-1.0.0/PatchOps-Target/__pycache__/reports.cpython-311.pyc ADDED Viewed

Binary file

patchops-1.0.0/PatchOps-Target/analytics.py ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ def track_event(name):
2	+ pass

patchops-1.0.0/PatchOps-Target/api_client.py ADDED Viewed

@@ -0,0 +1,4 @@
+# Isolated Group 2 API Client
+def fetch_external():
+    return {}

patchops-1.0.0/PatchOps-Target/app.py ADDED Viewed

@@ -0,0 +1,52 @@
+import os
+import subprocess
+from flask import Flask, request, jsonify
+import auth
+import config
+import db_utils
+import reports
+app = Flask(__name__)
+@app.route('/health')
+def health():
+    return jsonify({"status": "ok"})
+@app.get('/user')
+def get_user():
+    # CWE-89 SQL Injection: Directly inserting user input into query string
+    user_id = request.args.get('id')
+    conn = db_utils.get_connection()
+    cursor = conn.cursor()
+    # Vulnerable line: f-string insertion
+    query = f"SELECT username, email, role FROM users WHERE id = {user_id}"
+    cursor.execute(query)
+    user = cursor.fetchone()
+    conn.close()
+    if user:
+        return jsonify({"username": user[0], "email": user[1], "role": user[2]})
+    return jsonify({"error": "User not found"}), 404
+@app.get('/ping')
+def ping():
+    # CWE-78 Command Injection: Unsafe shell execution of user input
+    ip = request.args.get('ip')
+    try:
+        # Vulnerable line: shell=True and f-string
+        output = subprocess.check_output(f"ping -n 1 {ip}", shell=True)
+        return jsonify({"output": output.decode()})
+    except Exception as e:
+        return jsonify({"error": str(e)}), 500
+@app.get('/profile')
+def profile():
+    user_id = request.args.get('id')
+    profile_data = auth.get_profile(user_id)
+    if profile_data:
+        return jsonify({"profile": profile_data})
+    return jsonify({"error": "Profile not found"}), 404
+if __name__ == '__main__':
+    import init_db
+    init_db.init()
+    app.run(port=5000)

patchops-1.0.0/PatchOps-Target/auth.py ADDED Viewed

@@ -0,0 +1,20 @@
+import db_utils
+import config
+def login(username, password):
+    # Mock login
+    return {"status": "success", "token": "mock-token-123"}
+def get_profile(user_id):
+    # CWE-639 IDOR: no ownership check, directly queries DB with user-supplied ID
+    conn = db_utils.get_connection()
+    cursor = conn.cursor()
+    # Vulnerable line: direct execution with user_id f-string
+    query = f"SELECT * FROM users WHERE id = {user_id}"
+    cursor.execute(query)
+    profile = cursor.fetchone()
+    conn.close()
+    return profile
+def check_token(token):
+    return token == "mock-token-123"

patchops-1.0.0/PatchOps-Target/cache_manager.py ADDED Viewed

@@ -0,0 +1,7 @@
+# Isolated Group 3 utility
+def get_cache(key):
+    return f"cached_{key}"
+def set_cache(key, value):
+    pass

patchops-1.0.0/PatchOps-Target/config.py ADDED Viewed

@@ -0,0 +1,6 @@
+# Central config. Hardcoded secrets (CWE-798).
+DB_PATH = "users.db"
+DB_PASSWORD = "SUPER_SECRET_PASSWORD_123"  # CWE-798
+API_KEY = "sk-live-5555-6666-7777-8888"  # CWE-798
+DEBUG = True

patchops-1.0.0/PatchOps-Target/db_utils.py ADDED Viewed

@@ -0,0 +1,20 @@
+import sqlite3
+import config
+def get_connection():
+    # In a real app, DB_PASSWORD would be used here
+    return sqlite3.connect(DB_PATH)
+def safe_query(query, params=()):
+    conn = get_connection()
+    cursor = conn.cursor()
+    cursor.execute(query, params)
+    result = cursor.fetchall()
+    conn.close()
+    return result
+def query_user(user_id):
+    return safe_query("SELECT * FROM users WHERE id = ?", (user_id,))
+def query_report(report_id):
+    return safe_query("SELECT * FROM reports WHERE id = ?", (report_id,))

patchops-1.0.0/PatchOps-Target/email_service.py ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ def send_email(to, subject):
2	+ pass

patchops-1.0.0/PatchOps-Target/file_manager.py ADDED Viewed

@@ -0,0 +1,4 @@
+# Isolated Group 3 file manager
+def save_file(data):
+    pass

patchops-1.0.0/PatchOps-Target/init_db.py ADDED Viewed

@@ -0,0 +1,17 @@
+import sqlite3
+import os
+# Removed cross-imports
+def init(app=None):
+    if os.path.exists("users.db"):
+        os.remove("users.db")
+    conn = sqlite3.connect("users.db")
+    cursor = conn.cursor()
+    cursor.execute("CREATE TABLE users (id INTEGER PRIMARY KEY, username TEXT, email TEXT, role TEXT, password TEXT)")
+    cursor.execute("INSERT INTO users VALUES (1, 'alice', 'alice@example.com', 'admin', 'password123')")
+    cursor.execute("INSERT INTO users VALUES (2, 'bob', 'bob@example.com', 'user', 'password456')")
+    conn.commit()
+    conn.close()
+if __name__ == '__main__':
+    init()

patchops-1.0.0/PatchOps-Target/logger.py ADDED Viewed

@@ -0,0 +1,4 @@
+# Isolated Group 3 logger
+def log(msg):
+    print(f"[{utils.format_date(None)}] {msg}")

patchops-1.0.0/PatchOps-Target/payment_gateway.py ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ def process_payment(amount):
2	+ return True

patchops-1.0.0/PatchOps-Target/reports.py ADDED Viewed

@@ -0,0 +1,9 @@
+import db_utils
+import config
+def generate_user_report(user_id):
+    user = db_utils.query_user(user_id)
+    return f"Report for user {user}"
+def export_csv():
+    return "id,name,email\n1,Alice,alice@example.com"

patchops-1.0.0/PatchOps-Target/search_engine.py ADDED Viewed

@@ -0,0 +1,4 @@
+import payment_gateway
+def search(query):
+    return []

patchops-1.0.0/PatchOps-Target/tests/smoke_test.py ADDED Viewed

@@ -0,0 +1,48 @@
+import requests
+import pytest
+BASE_URL = "http://localhost:5000"
+def test_health_endpoint():
+    """Verify patched app is alive."""
+    r = requests.get(f"{BASE_URL}/health", timeout=5)
+    assert r.status_code == 200
+    assert r.json()["status"] == "ok"
+def test_user_endpoint_returns_data():
+    """Verify /user endpoint still functions."""
+    r = requests.get(f"{BASE_URL}/user?id=1", timeout=5)
+    assert r.status_code == 200
+    # The database initialization creates a users table
+    assert "username" in r.json()
+def test_user_endpoint_no_sqli_bypass():
+    """Security smoke test: verify SQLi payload doesn't dump all users."""
+    # Payload that would normally dump more or bypass if not parameterized
+    r = requests.get(f"{BASE_URL}/user", params={"id": "1 OR 1=1--"}, timeout=5)
+    # If patched correctly, this should either 404 (not found) or return exactly one user (if id '1 OR 1=1--' is treated as a string)
+    # or return a 500/400 if it's a strict type check. For this demo, let's check it doesn't return more than 1 user.
+    if r.status_code == 200:
+        data = r.json()
+        # If it returns a single user object, its length (keys) is small.
+        # If it returns a list, we check length. Our current endpoint returns a single object.
+        assert "username" in data
+    else:
+        assert r.status_code in [404, 400, 500]
+def test_profile_endpoint_exists():
+    """Verify /profile exists and doesn't crash."""
+    r = requests.get(f"{BASE_URL}/profile?id=1", timeout=5)
+    assert r.status_code in [200, 401, 403, 404]
+def test_ping_endpoint_no_command_injection():
+    """Security smoke test: verify command injection is blocked."""
+    r = requests.get(f"{BASE_URL}/ping?ip=127.0.0.1; ls", timeout=5)
+    # If patched, the output should just be the ping result for "127.0.0.1; ls" which usually fails or just pings.
+    # It shouldn't contain etc/password or file listing markers.
+    if r.status_code == 200:
+        text = r.json().get("output", "").lower()
+        assert "etc" not in text
+        assert "root" not in text
+    else:
+        assert r.status_code in [400, 500]

patchops-1.0.0/PatchOps-Target/tests/test_suite.py ADDED Viewed

@@ -0,0 +1,9 @@
+import search_engine
+import analytics
+import email_service
+import payment_gateway
+import api_client
+import init_db
+def test_all():
+    print("Running integration tests for Services Cluster...")

patchops-1.0.0/PatchOps-Target/users.db ADDED Viewed

Binary file

patchops-1.0.0/PatchOps-Target/utils.py ADDED Viewed

@@ -0,0 +1,15 @@
+import re
+from datetime import datetime
+import cache_manager
+import validator
+import logger
+import file_manager
+def sanitize_string(s):
+    return re.sub(r'[^\w\s]', '', s)
+def validate_email(email):
+    return "@" in email
+def format_date(d):
+    return datetime.now().strftime("%Y-%m-%d")

patchops-1.0.0/PatchOps-Target/validator.py ADDED Viewed

@@ -0,0 +1,4 @@
+import cache_manager
+def validate_payload(payload):
+    return True

patchops-1.0.0/README.md ADDED Viewed

	@@ -0,0 +1 @@
1	+ ## PatchOps

patchops-1.0.0/frontend/README.md ADDED Viewed

@@ -0,0 +1,134 @@
+# PatchOps Security Terminal Frontend
+A hacker-themed terminal interface that displays the PatchOps security analysis pipeline in real-time.
+## Features
+### 🎨 **Hacker Terminal Theme**
+- Retro green-on-black terminal aesthetic
+- Matrix rain effects
+- Glowing indicators and animations
+- Authentic terminal feel with proper command line
+### 🔄 **Real-time Pipeline Visualization**
+- **GitHub Fetch**: Shows repository cloning progress
+- **File Reading**: Displays source code scanning
+- **Security Analyzer**: 8-step vulnerability detection process
+- **Vulnerability Results**: Shows discovered security issues
+- **Exploit Simulation**: Demonstrates attack vectors
+- **Patch Generation**: Visualizes security fixes
+- **PR Creation**: Shows pull request generation
+### 🛡️ **Security Vulnerability Display**
+- Color-coded severity levels (Critical/High)
+- CWE identifiers
+- Real-time status indicators
+- Progress bars for long-running operations
+### ⚡ **Interactive Features**
+- Command-line interface with `run`, `clear`, and `help` commands
+- Real-time typing effects
+- Smooth animations and transitions
+- Responsive design
+## Quick Start
+### Method 1: Using the Built-in Server (Recommended)
+```bash
+cd frontend
+python server.py
+```
+The server will automatically:
+- Start on `http://localhost:8080`
+- Open your default browser
+- Serve the terminal interface
+### Method 2: Manual File Opening
+1. Open `frontend/index.html` in your web browser
+2. The terminal will load immediately
+## Commands
+Once the terminal is running, you can use these commands:
+- `run` - Start the security analysis simulation
+- `clear` - Clear the terminal screen
+- `help` - Show available commands
+## Backend Integration
+The frontend includes API endpoints for real backend integration:
+- `GET /api/status` - Get current analysis status
+- `GET /api/analyze` - Trigger real security analysis
+## Technical Details
+### Frontend Stack
+- **HTML5**: Semantic structure
+- **CSS3**: Custom animations and effects
+- **Vanilla JavaScript**: No dependencies, pure terminal experience
+### Key Features
+- **Progressive Enhancement**: Works without backend
+- **Responsive Design**: Adapts to different screen sizes
+- **Accessibility**: Proper ARIA labels and keyboard navigation
+- **Performance**: Optimized animations using CSS transforms
+### Visual Effects
+- **Matrix Rain**: Background binary rain effect
+- **Typing Animation**: Character-by-character text display
+- **Progress Bars**: Smooth progress visualization
+- **Status Indicators**: Pulsing status lights
+- **Hover Effects**: Interactive element feedback
+## Customization
+### Colors
+Edit `style.css` to customize the terminal colors:
+- `--terminal-bg`: Background color
+- `--terminal-text`: Default text color
+- `--terminal-accent`: Accent/highlight color
+### Animations
+Animation speeds and effects are controlled via CSS keyframes:
+- `@keyframes blink`: Cursor blinking
+- `@keyframes pulse`: Status indicator pulsing
+- `@keyframes scan`: Scan line effect
+### Content
+Modify `script.js` to customize:
+- Vulnerability types and severities
+- Analysis steps and timing
+- Command responses
+- Terminal welcome message
+## Browser Compatibility
+- ✅ Chrome 60+
+- ✅ Firefox 55+
+- ✅ Safari 12+
+- ✅ Edge 79+
+## Security Considerations
+This frontend is designed for demonstration purposes:
+- No real code execution in the browser
+- Simulated vulnerability detection
+- Safe for educational and demo use
+- No actual security risks
+## Contributing
+Feel free to enhance the terminal:
+- Add new visualization effects
+- Improve the command interface
+- Add more vulnerability types
+- Enhance the hacker aesthetic
+## License
+MIT License - Feel free to use and modify for your security projects.