From 247f3539d1521951efba2707d838f433e3493adb Mon Sep 17 00:00:00 2001
From: Roozbeh Nosrati <roozbeh.nosrati@optimizely.com>
Date: Tue, 20 Jan 2026 16:07:27 +0000
Subject: [PATCH] Create user.py

---
 python/user.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 python/user.py

diff --git a/python/user.py b/python/user.py
new file mode 100644
index 0000000..11a8143
--- /dev/null
+++ b/python/user.py
@@ -0,0 +1,28 @@
+from flask import Flask, request
+import sqlite3
+import os
+
+app = Flask(__name__)
+
+@app.route("/login")
+def login():
+    username = request.args.get("username")
+    password = request.args.get("password")
+
+    conn = sqlite3.connect("users.db")
+
+    # CHANGE: unsafe query construction (SQL Injection)
+    sql = "SELECT * FROM users WHERE username = '%s' AND password = '%s'" % (username, password)
+    conn.execute(sql)
+
+    return "Logged in"
+
+@app.route("/ping")
+def ping():
+    host = request.args.get("host")
+
+    # CHANGE: user input passed directly to OS command (Command Injection)
+    command = "ping -c 1 " + host
+    os.system(command)
+
+    return "Ping sent"