test: security audit demo with intentional vulnerabilities

[davidapp]

Purpose

Test the AI Security Audit GitHub Action workflow.

This PR contains a demo file with intentional security vulnerabilities:

• Hardcoded database password and private key
• SQL injection via string concatenation
• Command injection via Runtime.exec()
• Insecure java.util.Random for token generation

Expecting the AI audit to detect and report these issues.

[github-actions]

AI Security Audit Report

Summary

This diff introduces a Java demo class (SecurityTestDemo.java) containing multiple intentional security vulnerabilities as noted in the file's own comments. While the file is marked as a test/demo, its presence in the repository poses real risk: hardcoded credentials and private keys are committed to version history permanently, and the patterns could be inadvertently copied. Overall risk level: CRITICAL — the hardcoded private key and SQL injection alone warrant immediate attention regardless of the file's stated purpose.

---

Findings

[CRITICAL] Hardcoded Blockchain Private Key

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:17
• Category: Cryptography Issues / Blockchain-Specific
• Description: A 64-character hex string resembling a TRON/Ethereum private key is hardcoded as a static constant (PRIVATE_KEY).
• Impact: Anyone with read access to this repository (including git history after deletion) can extract this key and drain any associated wallet. Once committed, the key is permanently in git history even if the file is deleted.
• Recommendation: Remove immediately and rotate any wallet associated with this key. Use environment variables or a secrets manager (e.g., HashiCorp Vault, AWS Secrets Manager). Add PRIVATE_KEY patterns to .gitignore and pre-commit hooks (e.g., gitleaks, truffleHog).

---

[CRITICAL] SQL Injection

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:21-24
• Category: Critical Vulnerabilities
• Description: User-supplied userId is concatenated directly into a SQL query string without sanitization or parameterization.
• Impact: Full SQL injection — an attacker can dump, modify, or delete the database, bypass authentication, or achieve remote code execution depending on DB permissions.
• Recommendation: Use PreparedStatement with parameterized queries:

  PreparedStatement stmt = conn.prepareStatement("SELECT * FROM users WHERE id = ?");
  stmt.setString(1, userId);

---

[CRITICAL] Command Injection

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:28
• Category: Critical Vulnerabilities / Blockchain-Specific
• Description: The address parameter is appended directly to a shell command executed via Runtime.getRuntime().exec().
• Impact: An attacker supplying a crafted address (e.g., ; rm -rf /) can execute arbitrary OS commands with the JVM's privileges. Also bypasses any address validation.
• Recommendation: Never call external processes with user input. Use a proper HTTP client (e.g., HttpClient, OkHttp) with input validation and address allowlisting. If exec() is unavoidable, use the array form and validate input against a strict regex (TRON addresses are Base58Check, 34 chars starting with T).

---

[HIGH] Hardcoded Database Credentials

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:16
• Category: Authentication & Authorization / Data Exposure
• Description: Database password admin123456 is hardcoded in source and committed to version control.
• Impact: Any repository reader obtains database credentials. Combined with the hardcoded connection string pointing to localhost, this suggests a weak default credential that may be reused across environments.
• Recommendation: Load credentials from environment variables or a secrets manager. Rotate the password immediately if it matches any real environment.

---

[HIGH] Cryptographically Weak Token Generation

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:32-39
• Category: Cryptography Issues
• Description: java.util.Random is used to generate a 32-character hex token. java.util.Random is a linear congruential generator — not cryptographically secure and predictable given a small sample of outputs.
• Impact: Tokens (likely session tokens, API keys, or wallet seeds) can be predicted by an attacker, enabling session hijacking or key forgery.
• Recommendation: Replace with java.security.SecureRandom:

  SecureRandom random = new SecureRandom();
  byte[] bytes = new byte[16];
  random.nextBytes(bytes);
  return HexFormat.of().formatHex(bytes);

---

[MEDIUM] Missing Address Validation (Blockchain-Specific)

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:27-29
• Category: Blockchain-Specific / Input Validation
• Description: The address parameter passed to checkAddress() is not validated against TRON address format before use.
• Impact: Beyond enabling the command injection above, unvalidated addresses could be used to probe internal network endpoints (SSRF) or send malformed requests to the API.
• Recommendation: Validate that address matches the TRON Base58Check format (34 characters, starts with T) before any use.

---

[LOW] Demo File with Live Vulnerabilities Committed to Repository

• File: src/main/java/org/tron/demo/SecurityTestDemo.java:1-40
• Category: Configuration & Infrastructure
• Description: The file is labeled "DO NOT use in production" but is committed to the main codebase, not isolated in a sandboxed test environment.
• Impact: Increases attack surface; patterns may be copied; CI/CD pipelines may accidentally package and deploy this file.
• Recommendation: If this file must exist for audit testing purposes, add it to .gitignore, exclude it from build artifacts, or place it in a dedicated, non-deployable test directory. Consider using a purpose-built SAST test corpus instead of live-pattern demo files.

---

Statistics

Metric	Count
Files analyzed	1
Issues found	7
Critical	3
High	2
Medium	1
Low	1

---

This report was generated by AI security audit. Please verify findings manually. The hardcoded private key (finding #1) should be treated as compromised and rotated immediately regardless of other remediation timelines.