From a963e425e6626e367020ef6e7597518659854143 Mon Sep 17 00:00:00 2001
From: Tejas Kashinath <tkashina@amazon.com>
Date: Wed, 20 May 2026 12:09:14 -0400
Subject: [PATCH] test(security-review): smoke fixture for same-repo path
 (delete after verify)

---
 scripts/__sec_review_smoketest.mjs | 35 ++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 scripts/__sec_review_smoketest.mjs

diff --git a/scripts/__sec_review_smoketest.mjs b/scripts/__sec_review_smoketest.mjs
new file mode 100644
index 000000000..251ac1f8a
--- /dev/null
+++ b/scripts/__sec_review_smoketest.mjs
@@ -0,0 +1,35 @@
+// Deliberately vulnerable file used to smoke-test the Claude Security Review
+// workflow's inline-comment posting path. Two HIGH-severity findings the
+// bundled /security-review skill should flag. Will be deleted after verify.
+import { exec } from 'node:child_process';
+import http from 'node:http';
+
+// FINDING 1 — Hardcoded credential pattern.
+const HARDCODED_AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';
+const HARDCODED_AWS_SECRET_ACCESS_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';
+
+function buildSignedRequest(payload) {
+  return {
+    payload,
+    auth: `AWS4-HMAC-SHA256 Credential=${HARDCODED_AWS_ACCESS_KEY_ID}`,
+    secret: HARDCODED_AWS_SECRET_ACCESS_KEY,
+  };
+}
+
+// FINDING 2 — Command injection via exec() with unvalidated query parameter.
+const server = http.createServer((req, res) => {
+  const url = new URL(req.url, 'http://localhost');
+  const target = url.searchParams.get('host') ?? 'localhost';
+
+  exec(`ping -c 1 ${target}`, (err, stdout, stderr) => {
+    if (err) {
+      res.writeHead(500);
+      res.end(String(err));
+      return;
+    }
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end(stdout || stderr);
+  });
+});
+
+export { buildSignedRequest, server };