From 68aef4119727f1efce5fa437dcf41fe1ac417f3a Mon Sep 17 00:00:00 2001 From: Tejas Kashinath Date: Wed, 20 May 2026 11:28:34 -0400 Subject: [PATCH 1/2] test(security-review): smoke fixture with deliberate findings (delete after verify) --- scripts/__sec_review_smoketest.mjs | 36 ++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 scripts/__sec_review_smoketest.mjs diff --git a/scripts/__sec_review_smoketest.mjs b/scripts/__sec_review_smoketest.mjs new file mode 100644 index 000000000..e159e61f3 --- /dev/null +++ b/scripts/__sec_review_smoketest.mjs @@ -0,0 +1,36 @@ +// Deliberately vulnerable file used to smoke-test the Claude Security Review +// workflow. Two HIGH-severity findings the bundled /security-review skill +// should flag and post as inline review comments. Will be deleted once the +// posting path is verified. +import { exec } from 'node:child_process'; +import http from 'node:http'; + +// FINDING 1 — Hardcoded credential pattern. +const HARDCODED_AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE'; +const HARDCODED_AWS_SECRET_ACCESS_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'; + +function buildSignedRequest(payload) { + return { + payload, + auth: `AWS4-HMAC-SHA256 Credential=${HARDCODED_AWS_ACCESS_KEY_ID}`, + secret: HARDCODED_AWS_SECRET_ACCESS_KEY, + }; +} + +// FINDING 2 — Command injection via exec() with unvalidated HTTP query parameter. +const server = http.createServer((req, res) => { + const url = new URL(req.url, 'http://localhost'); + const target = url.searchParams.get('host') ?? 'localhost'; + + exec(`ping -c 1 ${target}`, (err, stdout, stderr) => { + if (err) { + res.writeHead(500); + res.end(String(err)); + return; + } + res.writeHead(200, { 'Content-Type': 'text/plain' }); + res.end(stdout || stderr); + }); +}); + +export { buildSignedRequest, server }; From d02f648c6a6914c307048e093d4a44c4ff7b7a92 Mon Sep 17 00:00:00 2001 From: Tejas Kashinath Date: Wed, 20 May 2026 11:35:28 -0400 Subject: [PATCH 2/2] ci: trigger re-evaluation of base-branch workflow