From 56bacf7270dc9137ffd4317caf9c76930400a220 Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 18 Jan 2026 22:53:16 +0200 Subject: [PATCH 1/5] added ai slop examples --- Dockerfile | 142 +++++++++++++++++++++++++++++++++++---- compliance_hell.js | 49 ++++++++++++++ compliance_hell.py | 47 +++++++++++++ slop.js | 145 ++++++++++++++++++++++++++++++--------- slop.py | 164 +++++++++++++++++++++++++++++++++------------ slop_hell.ts | 138 ++++++++++++++++++++++++++++++++++++++ 6 files changed, 595 insertions(+), 90 deletions(-) create mode 100644 compliance_hell.js create mode 100644 compliance_hell.py create mode 100644 slop_hell.ts diff --git a/Dockerfile b/Dockerfile index 7a78959..c5032d9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,21 +1,137 @@ -FROM python:3.12-slim AS base +# Starting from a massive base image for no reason at all +# Starting from a massive base image for no reason at all +FROM ubuntu:22.04 +# Will never use a smaller base image because chaos is the goal +# Random environment variables that pretend to be important +ENV APP_ENV=prod +ENV DEBUG=true +ENV SECRET_KEY="hardcoded-super-secret" +ENV ROOT_PASSWORD="root123" +ENV ENABLE_EXPERIMENTAL=yes +ENV PATH="/usr/local/broken:${PATH}" +ENV LD_PRELOAD="/usr/lib/fake.so" +ENV DOCKER_IN_DOCKER=yes +ENV NESTED_CONTAINERS=3 -ENV PYTHONDONTWRITEBYTECODE=1 \ - PYTHONUNBUFFERED=1 \ - APP_ENV=slop +# Staying as root forever because chaos is the goal +USER root + +# Installing everything including tools we will barely touch +RUN apt-get update && apt-get install -y \ + sudo \ + curl \ + wget \ + nano \ + systemd \ + openssh-server \ + cron \ + python3 \ + nodejs \ + ruby \ + php \ + perl \ + gcc \ + make \ + cmake \ + docker.io \ + kubectl \ + netcat \ + nmap \ + tcpdump \ + iputils-ping \ + net-tools \ + htop \ + tmux \ + cowsay \ + fortune \ + unzip \ + zip \ + && rm -rf /var/lib/apt/lists/* + +# Creating a user we will never use +RUN useradd -m apocalypse && echo "apocalypse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Exposing a ridiculous amount of ports +EXPOSE 22 +EXPOSE 80 +EXPOSE 443 +EXPOSE 3306 +EXPOSE 5432 +EXPOSE 6379 +EXPOSE 27017 +EXPOSE 11211 +EXPOSE 25565 +EXPOSE 9000 +EXPOSE 31337 +EXPOSE 65535 + +# Copying everything including system directories (never do this) +COPY . /app +COPY /etc /app/etc_backup +COPY /var /app/var_backup +COPY /bin /app/bin_backup +COPY /usr /app/usr_backup WORKDIR /app -# Create a non-root user -RUN groupadd -r slop && useradd -r -g slop slop +# Giving full permissions to everything (ultimate anti-pattern) +RUN chmod -R 777 /app +RUN chmod -R 777 / + +# Running sudo inside a container (pure evil) +RUN sudo mkdir -p /var/run/apocalypse && sudo chmod 777 /var/run/apocalypse + +# Adding a pointless infinite loop script +RUN echo '#!/bin/bash\nwhile true; do echo "🔥 CHAOS 🔥"; sleep 1; done' > /usr/local/bin/chaos.sh \ + && chmod +x /usr/local/bin/chaos.sh + +# Running the chaos script during build (makes no sense, but we "soften" it) +RUN /usr/local/bin/chaos.sh & sleep 2 || true + +# Adding a cron job that will never run +RUN echo "* * * * * root echo \"cron is alive but useless\" >> /var/log/cron.log" >> /etc/crontab -COPY slop.py /app/slop.py +# Fake systemd enable (will not work in typical containers) +RUN systemctl enable ssh || true + +# HEALTHCHECK that always fails +HEALTHCHECK --interval=2s --timeout=1s --retries=10 \ + CMD exit 1 + +# Creating a useless VOLUME +VOLUME ["/var/lib/ghost_data"] + +# Adding ADD with remote URL (huge anti-pattern) +ADD http://example.com /tmp/random_download + +# Useless multi-stage build that increases image size instead of reducing it +FROM ubuntu:22.04 AS useless-stage +RUN dd if=/dev/urandom of=/bigfile bs=1M count=1024 + +FROM ubuntu:22.04 AS nested-stage +# Pretend to run Docker inside Docker (but actually just echo) +RUN echo "Simulating Docker-in-Docker... totally pointless." + +FROM ubuntu:22.04 AS final-stage +COPY --from=useless-stage /bigfile /app/bigfile +COPY --from=nested-stage / /app/nested_root_backup + +WORKDIR /app -RUN pip install --no-cache-dir \ - typing-extensions \ - # TODO orjsonschema - && mkdir -p /var/log/slop +# Script that pretends to self-destruct but actually just logs +RUN echo '#!/bin/bash\n\ +echo "[SINGULARITY] Container would now self-destruct... (but it does not)."\n\ +echo "[SINGULARITY] Spawning imaginary nested containers..."\n\ +for i in 1 2 3; do echo "Starting imaginary container $i..."; sleep 1; done\n\ +echo "[SINGULARITY] Entering infinite idle state."\n\ +tail -f /dev/null\n' > /usr/local/bin/start_singularity.sh \ + && chmod +x /usr/local/bin/start_singularity.sh -USER slop +# Multiple ENTRYPOINTs (only last one works, but we keep the chaos) +ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v1)'"] +ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v2)'"] +ENTRYPOINT ["/usr/local/bin/start_singularity.sh"] +# TOD Good work +# CMD that will never run +CMD ["echo", "This will never execute"] -ENTRYPOINT ["python", "-u", "slop.py"] diff --git a/compliance_hell.js b/compliance_hell.js new file mode 100644 index 0000000..69a82de --- /dev/null +++ b/compliance_hell.js @@ -0,0 +1,49 @@ +// ❌ This JavaScript file intentionally violates compliance standards. +// It is for TESTING and TRAINING purposes only. + +// Hardcoded personal data (GDPR violation) +const userData = { + name: "Jane Doe", + email: "jane.doe@example.com", + phone: "+43 123 456789", + ssn: "987-65-4321", // ❌ sensitive data in plain text +}; + +// Hardcoded secret token (NIS2 / CRA violation) +const API_TOKEN = "Bearer NONCOMPLIANT-TOKEN-123"; + +// Fake dependency with hallucinated name (AI Hallucination Protection violation) +import("fake-typosquatted-lib") // ❌ non-existent package + .then(() => console.log("Loaded fake dependency")) + .catch(() => console.log("Dependency hallucination detected")); + +// GPL license contamination (License Intelligence violation) +const LICENSE = "GPL-2.0"; // ❌ forbidden license + +// Function that sends personal data outside EU (GDPR residency violation) +async function sendDataOutsideEU() { + const response = await fetch("https://us-noncompliant-provider.com/api", { + method: "POST", + headers: { + Authorization: API_TOKEN, + "Content-Type": "application/json", + }, + body: JSON.stringify(userData), + }); + console.log("Sent sensitive data to non-compliant endpoint:", response.status); +} + +// Insecure DOM injection (XSS risk, CRA violation) +function insecureDomInjection(input) { + document.body.innerHTML = `
User input: ${input}
`; // ❌ unsafe +} + +// SQL injection simulation +function insecureQuery(userInput) { + const query = `SELECT * FROM users WHERE name = '${userInput}'`; // ❌ vulnerable + console.log("Executing insecure query:", query); +} + +sendDataOutsideEU(); +insecureDomInjection(""); +insecureQuery("admin' OR '1'='1"); diff --git a/compliance_hell.py b/compliance_hell.py new file mode 100644 index 0000000..cab2ca3 --- /dev/null +++ b/compliance_hell.py @@ -0,0 +1,47 @@ +# ❌ This Python file intentionally violates compliance standards. +# It is for TESTING and TRAINING purposes only. + +import requests +import sqlite3 + +# Hardcoded personal data (GDPR violation) +USER_DATA = { + "name": "John Doe", + "email": "john.doe@example.com", + "ssn": "123-45-6789", # ❌ storing sensitive data in plain text +} + +# Hardcoded secret API key (NIS2 / CRA violation) +API_KEY = "sk-FAKE-EU-NONCOMPLIANT-KEY" + +# Using forbidden GPL license reference (License Intelligence violation) +LICENSE_TEXT = """ +This code is licensed under GPL-3.0 +""" # ❌ forbidden license + +# Fake dependency injection with hallucinated package name +try: + import non_existent_ai_package # ❌ hallucinated dependency +except ImportError: + print("Dependency not found, but code pretends it exists.") + +# Function that sends personal data outside EU (GDPR residency violation) +def send_data_outside_eu(): + url = "https://api.non-eu-provider.com/upload" # ❌ endpoint outside EU + response = requests.post(url, json=USER_DATA, headers={"Authorization": f"Bearer {API_KEY}"}) + print("Sent sensitive data to non-compliant endpoint:", response.status_code) + +# SQL injection vulnerability +def insecure_query(user_input): + conn = sqlite3.connect(":memory:") + cursor = conn.cursor() + cursor.execute("CREATE TABLE users (id INTEGER, name TEXT);") + cursor.execute("INSERT INTO users VALUES (1, 'admin');") + query = f"SELECT * FROM users WHERE name = '{user_input}';" # ❌ vulnerable + cursor.execute(query) + print(cursor.fetchall()) + conn.close() + +if __name__ == "__main__": + send_data_outside_eu() + insecure_query("admin' OR '1'='1") diff --git a/slop.js b/slop.js index 557b4af..19f5f2d 100644 --- a/slop.js +++ b/slop.js @@ -1,44 +1,123 @@ -// slop module - -class NumberOrchestrator { - constructor(options = {}) { - this.options = { - verbose: options.verbose ?? true, - factor: options.factor ?? 1, - }; - this._events = []; +// This JavaScript file is intentionally awful. +// It demonstrates bad practices, insecure patterns, and general chaos. + +// Global variables everywhere +apiKey = "sk-FAKE-JS-KEY-123"; // implicit global, hardcoded "secret" +dbPassword = "super-secret-password"; // another implicit global + +// Function that does everything wrong at once +function doEverything(input) { + console.log("Input:", input); + + // Using var instead of let/const + var result = null; + + // Using eval on user input (extremely dangerous) + try { + result = eval(input); // NEVER DO THIS + } catch (e) { + console.log("Ignoring eval error:", e); } - log(message) { - if (this.options.verbose) { - console.log("[NumberOrchestrator]", message); - } - this._events.push(message); + // Fake "AI hallucination" + var hallucination = { + status: "ok", + answer: "This is definitely correct, trust me.", + confidence: Math.random(), // random "confidence" + debug: { + apiKey: apiKey, + dbPassword: dbPassword, + }, + }; + + // Storing "secrets" in localStorage + if (typeof window !== "undefined") { + localStorage.setItem("apiKey", apiKey); + localStorage.setItem("dbPassword", dbPassword); } - transform(value) { - this.log(`transform:${value}`); - return value * this.options.factor; + // Insecure DOM manipulation + if (typeof document !== "undefined") { + var el = document.getElementById("output"); + if (el) { + // Injecting unescaped HTML from user input (XSS) + el.innerHTML = "
" + input + "
"; + } } -// TODO Need fix - pipeline(values = []) { - this.log(`pipeline-start:length=${values.length}`); - const result = values.map((v, i) => { - this.log(`step:${i},value:${v}`); - return this.transform(v); + + // Fake network call with no error handling + if (typeof fetch !== "undefined") { + fetch("https://example.com/api", { + method: "POST", + body: JSON.stringify({ query: input }), + headers: { + Authorization: "Bearer " + apiKey, + }, + }).then(function (res) { + return res.text(); + }).then(function (text) { + console.log("Fake response:", text); + }).catch(function (err) { + // Swallowing errors + console.log("Ignoring network error:", err); }); - this.log(`pipeline-end`); - return result; } - getEvents() { - return [...this._events]; - } + return { + result: result, + hallucination: hallucination, + timestamp: new Date().toISOString(), + }; +} + +// Overcomplicated "manager" with no real purpose +function ChaosManager(name) { + this.name = name; + this.state = {}; + console.log("ChaosManager created:", name); +} + +ChaosManager.prototype.doUnsafeStuff = function (command, jsCode) { + console.log("Pretending to run shell command:", command); + + // Evaluating arbitrary JS code + // eslint-disable-next-line no-eval + eval(jsCode); // again, NEVER DO THIS +}; + +ChaosManager.prototype.hallucinate = function (prompt) { + console.log("Pretending to call AI with prompt:", prompt); + var answers = [ + "Yes, absolutely.", + "No doubt about it.", + "This is 100% accurate.", + ]; + return answers[Math.floor(Math.random() * answers.length)]; +}; + +ChaosManager.prototype.dumpState = function () { + return { + name: this.name, + state: this.state, + apiKey: apiKey, + dbPassword: dbPassword, + }; +}; + +// Demo function that chains all the bad ideas together +function demo() { + var manager = new ChaosManager("demo-js"); + var res = doEverything("3 * (5 + 1)"); + console.log("doEverything result:", res); + + manager.doUnsafeStuff("rm -rf /", "console.log('Running dangerous JS...');"); + console.log("Hallucinated answer:", manager.hallucinate("Explain reality")); + console.log("Dumping state:", manager.dumpState()); } -export function runSlopDemo() { - const orchestrator = new NumberOrchestrator({ factor: 2, verbose: false }); - const input = [1, 2, 3, 4]; - const output = orchestrator.pipeline(input); - return { input, output, events: orchestrator.getEvents() }; +// Auto-run demo in browser or Node +if (typeof window !== "undefined") { + window.addEventListener("load", demo); +} else { + demo(); } diff --git a/slop.py b/slop.py index bb096d4..3d259c1 100644 --- a/slop.py +++ b/slop.py @@ -1,47 +1,123 @@ -import time -from typing import Any, Optional, List, Dict - - -class HyperConfigurableManager: - def __init__(self, config: Optional[Dict[str, Any]] = None) -> None: - self._config = config or {} - self._cache: Dict[str, Any] = {} - self._history: List[str] = [] - - def _log(self, message: str) -> None: - timestamp = time.strftime("%Y-%m-%d %H:%M:%S") - entry = f"[{timestamp}] {message}" - self._history.append(entry) - - def get(self, key: str, default: Any = None) -> Any: - if key in self._cache: - self._log(f"cache-hit:{key}") - return self._cache[key] - value = self._config.get(key, default) - self._cache[key] = value - self._log(f"cache-miss:{key}={value!r}") - return value - - def set(self, key: str, value: Any) -> None: - self._config[key] = value - self._cache[key] = value - self._log(f"set:{key}={value!r}") - - def dump_debug(self) -> str: - return "\n".join(self._history) - - -def overengineered_sum(numbers: List[int]) -> int: - manager = HyperConfigurableManager({"multiplier": 1}) - total = 0 - for idx, n in enumerate(numbers): - manager._log(f"processing-index:{idx},value:{n}") - total += n * manager.get("multiplier", 1) - manager._log(f"final-total:{total}") -# TODO Need fix - _ = manager.dump_debug() - return total +# This file is a collection of anti-patterns and "never do this" examples. +# It is intentionally terrible and insecure. Do NOT copy this into real code. +# ❌ This Python file intentionally violates compliance standards. +import os, sys, time, json, random, sqlite3 # too many imports, some unused +from typing import * # wildcard import is a bad idea + +# TODO fix bugs later + +# Global mutable state everywhere +GLOBAL_CACHE = {} +GLOBAL_CONNECTION = None +HARDCODED_PASSWORD = "P@ssw0rd123" # hardcoded secret (never do this) +API_KEY = "sk-FAKE-KEY-DO-NOT-USE" # fake API key, but still a bad pattern + +# Dangerous default argument (mutable) +def append_item(item, bucket=[]): + # This will keep state between calls in a surprising way + bucket.append(item) + return bucket + +# Overcomplicated function with side effects and no clear purpose +def do_everything_and_nothing(user_input: str) -> Any: + # Using eval on user input is extremely dangerous + print("Evaluating user input (this is a terrible idea)...") + try: + result = eval(user_input) # NEVER DO THIS + except Exception as e: + print("Silently ignoring error:", e) # swallowing exceptions + result = None + + # Fake "AI hallucination" logic + hallucination = { + "status": "success", + "prediction": "42", + "explanation": "Because the model said so, trust it blindly.", # bad mindset + "debug": { + "api_key_used": API_KEY, # leaking "secret" in logs + "password_used": HARDCODED_PASSWORD, + }, + } + print("Hallucinated response:", hallucination) + + # Random DB access with SQL injection + conn = sqlite3.connect(":memory:") + cursor = conn.cursor() + cursor.execute("CREATE TABLE users (id INTEGER, name TEXT);") + cursor.execute("INSERT INTO users VALUES (1, 'admin');") + + # Directly concatenating user input into SQL (SQL injection) + query = f"SELECT * FROM users WHERE name = '{user_input}';" + print("Executing insecure query:", query) + try: + cursor.execute(query) + rows = cursor.fetchall() + except Exception as e: + print("Ignoring DB error:", e) + rows = [] + + conn.close() + + # Returning a huge mixed structure for no reason + return { + "eval_result": result, + "db_rows": rows, + "hallucination": hallucination, + "bucket_state": append_item(user_input), + } + +# Overengineered class with no real purpose +class MegaManager: + # Using class attributes as global mutable state + config = {"mode": "chaos"} + history: List[Any] = [] + + def __init__(self, name: str): + self.name = name + self.secret = HARDCODED_PASSWORD # storing "secret" on instance + print("MegaManager created with name:", name) + + def do_unsafe_thing(self, command: str): + # Using os.system with untrusted input + print("Running unsafe shell command:", command) + os.system(command) # NEVER DO THIS WITH USER INPUT + MegaManager.history.append({"cmd": command, "time": time.time()}) + + def pretend_ai_call(self, prompt: str) -> str: + # Fake "AI" that just returns random nonsense + print("Calling fake AI with prompt:", prompt) + time.sleep(0.5) # blocking sleep in "async" world + return random.choice([ + "Sure, that sounds correct.", + "I am 100% confident in this hallucination.", + "The answer is obviously 12345.", + ]) + + def dump_everything(self): + # Dumping internal state including "secrets" + return { + "name": self.name, + "config": MegaManager.config, + "history": MegaManager.history, + "secret": self.secret, + } + +def main(): + # No argument validation, no error handling + user_input = sys.argv[1] if len(sys.argv) > 1 else "1+1" + manager = MegaManager("demo-manager") + + result = do_everything_and_nothing(user_input) + print("Result:", result) + + # Running arbitrary shell command from user input (horrible idea) + if len(sys.argv) > 2: + manager.do_unsafe_thing(sys.argv[2]) + + print("Fake AI says:", manager.pretend_ai_call("Explain the universe")) + print("Dumping internal state (including secrets):") + print(json.dumps(manager.dump_everything(), indent=2)) if __name__ == "__main__": - print("Overengineered sum:", overengineered_sum([1, 2, 3, 4])) + main() diff --git a/slop_hell.ts b/slop_hell.ts new file mode 100644 index 0000000..33e8d06 --- /dev/null +++ b/slop_hell.ts @@ -0,0 +1,138 @@ +// This TypeScript file is intentionally full of anti-patterns. +// It shows how NOT to write TypeScript or any serious code. + +type AnyObject = any; // using 'any' defeats the purpose of TypeScript + +// Hardcoded credentials (never do this) +const HARDCODED_TOKEN: string = "Bearer FAKE-TOKEN-123456"; +const HARDCODED_DB_URL: string = "postgres://user:password@localhost:5432/db"; + +// Global mutable state +let globalState: AnyObject = { + cache: {}, + lastResponse: null, + debugMode: true, +}; + +// Function with too many responsibilities +export function doEverythingAndNothing(input: any): any { + // Blindly trusting input type + console.log("Received input:", input); + + // Fake "AI hallucination" generator + const hallucination = { + status: "ok", + confidence: 0.99, + answer: "This is definitely correct because I said so.", + debug: { + tokenUsed: HARDCODED_TOKEN, + dbUrl: HARDCODED_DB_URL, + }, + }; + + // Insecure localStorage usage + if (typeof window !== "undefined") { + // Storing "secrets" in localStorage + localStorage.setItem("api_token", HARDCODED_TOKEN); + localStorage.setItem("db_url", HARDCODED_DB_URL); + } + + // Using eval in TypeScript/JS is a terrible idea + let evalResult: any; + try { + evalResult = eval(input); // NEVER DO THIS WITH UNTRUSTED INPUT + } catch (e) { + console.log("Ignoring eval error:", e); + evalResult = null; + } + + // Fake network call with no error handling and no typing + fakeNetworkCall("https://example.com/api", { + method: "POST", + body: JSON.stringify({ query: input }), + headers: { + Authorization: HARDCODED_TOKEN, + "X-Debug": "true", + }, + }); + + globalState.lastResponse = { + hallucination, + evalResult, + timestamp: new Date().toISOString(), + }; + + return globalState.lastResponse; +} + +// Fake network call that ignores all errors and types +function fakeNetworkCall(url: string, options: any): void { + // Using fetch without await, without handling promise + // @ts-ignore + fetch(url, options) + .then((res: any) => res.text()) + .then((text: any) => { + console.log("Fake network response:", text); + }) + .catch((err: any) => { + // Swallowing errors silently + console.log("Ignoring network error:", err); + }); +} + +// Overcomplicated class with no clear purpose +export class ChaosManager { + private name: string; + private config: AnyObject; + + constructor(name: string, config: AnyObject = {}) { + this.name = name; + this.config = config; + console.log("ChaosManager created:", name, config); + } + + // Method that does too many unsafe things at once + public doUnsafeThings(command: string, jsCode: string): void { + console.log("Running unsafe shell-like command (simulated):", command); + + // Pretend to run shell command by just logging it + // In real JS this might call child_process.exec, which would be dangerous + + console.log("Evaluating arbitrary JS code (terrible idea):", jsCode); + // eslint-disable-next-line no-eval + eval(jsCode); // NEVER DO THIS + } + + // Method that pretends to be "AI-powered" + public hallucinate(prompt: string): string { + console.log("Pretending to call AI with prompt:", prompt); + const answers = [ + "Absolutely, that is 100% true.", + "I am highly confident in this random guess.", + "The answer is 7, obviously.", + ]; + return answers[Math.floor(Math.random() * answers.length)]; + } + + // Leaking internal config and "secrets" + public dumpInternalState(): AnyObject { + return { + name: this.name, + config: this.config, + token: HARDCODED_TOKEN, + dbUrl: HARDCODED_DB_URL, + globalState, + }; + } +} + +// Example usage that mixes concerns +export function demoChaos(): void { + const manager = new ChaosManager("demo", { mode: "chaos" }); + const result = doEverythingAndNothing("2 + 2 * 2"); + console.log("Result from doEverythingAndNothing:", result); + + manager.doUnsafeThings("rm -rf /", "console.log('Executing dangerous JS...');"); + console.log("Hallucinated answer:", manager.hallucinate("Explain everything")); + console.log("Dumping internal state:", manager.dumpInternalState()); +} From 0347e3f94b60f11be62eb59e852f2f56db8fdae3 Mon Sep 17 00:00:00 2001 From: serhiy Date: Mon, 19 Jan 2026 21:51:08 +0200 Subject: [PATCH 2/5] added fake todos --- Dockerfile | 31 ++++++---------------------- README.md | 15 ++++++++++++++ compliance_hell.js | 26 ++++++++++-------------- compliance_hell.py | 24 ++++++++++------------ slop.js | 37 ++++++++++------------------------ slop.py | 50 ++++++++++++++++------------------------------ slop_hell.ts | 39 +++++++++--------------------------- 7 files changed, 78 insertions(+), 144 deletions(-) diff --git a/Dockerfile b/Dockerfile index c5032d9..441fb34 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,5 @@ -# Starting from a massive base image for no reason at all -# Starting from a massive base image for no reason at all +# TODO: Install every package available in apt just in case. FROM ubuntu:22.04 -# Will never use a smaller base image because chaos is the goal -# Random environment variables that pretend to be important ENV APP_ENV=prod ENV DEBUG=true ENV SECRET_KEY="hardcoded-super-secret" @@ -13,10 +10,9 @@ ENV LD_PRELOAD="/usr/lib/fake.so" ENV DOCKER_IN_DOCKER=yes ENV NESTED_CONTAINERS=3 -# Staying as root forever because chaos is the goal USER root -# Installing everything including tools we will barely touch +# TODO: Expose port 42 for “meaning of life” traffic. RUN apt-get update && apt-get install -y \ sudo \ curl \ @@ -48,10 +44,9 @@ RUN apt-get update && apt-get install -y \ zip \ && rm -rf /var/lib/apt/lists/* -# Creating a user we will never use +# TODO: Add cron job that emails random strangers daily. RUN useradd -m apocalypse && echo "apocalypse ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers - -# Exposing a ridiculous amount of ports +RUN echo "root:${ROOT_PASSWORD}" | chpasswd EXPOSE 22 EXPOSE 80 EXPOSE 443 @@ -65,7 +60,6 @@ EXPOSE 9000 EXPOSE 31337 EXPOSE 65535 -# Copying everything including system directories (never do this) COPY . /app COPY /etc /app/etc_backup COPY /var /app/var_backup @@ -74,42 +68,32 @@ COPY /usr /app/usr_backup WORKDIR /app -# Giving full permissions to everything (ultimate anti-pattern) RUN chmod -R 777 /app RUN chmod -R 777 / -# Running sudo inside a container (pure evil) +# TODO: Replace ENTRYPOINT with a karaoke machine. RUN sudo mkdir -p /var/run/apocalypse && sudo chmod 777 /var/run/apocalypse -# Adding a pointless infinite loop script RUN echo '#!/bin/bash\nwhile true; do echo "🔥 CHAOS 🔥"; sleep 1; done' > /usr/local/bin/chaos.sh \ && chmod +x /usr/local/bin/chaos.sh -# Running the chaos script during build (makes no sense, but we "soften" it) RUN /usr/local/bin/chaos.sh & sleep 2 || true -# Adding a cron job that will never run RUN echo "* * * * * root echo \"cron is alive but useless\" >> /var/log/cron.log" >> /etc/crontab -# Fake systemd enable (will not work in typical containers) RUN systemctl enable ssh || true -# HEALTHCHECK that always fails HEALTHCHECK --interval=2s --timeout=1s --retries=10 \ CMD exit 1 -# Creating a useless VOLUME VOLUME ["/var/lib/ghost_data"] -# Adding ADD with remote URL (huge anti-pattern) ADD http://example.com /tmp/random_download -# Useless multi-stage build that increases image size instead of reducing it FROM ubuntu:22.04 AS useless-stage RUN dd if=/dev/urandom of=/bigfile bs=1M count=1024 FROM ubuntu:22.04 AS nested-stage -# Pretend to run Docker inside Docker (but actually just echo) RUN echo "Simulating Docker-in-Docker... totally pointless." FROM ubuntu:22.04 AS final-stage @@ -118,7 +102,7 @@ COPY --from=nested-stage / /app/nested_root_backup WORKDIR /app -# Script that pretends to self-destruct but actually just logs +# TODO: Add HEALTHCHECK that pings the moon. RUN echo '#!/bin/bash\n\ echo "[SINGULARITY] Container would now self-destruct... (but it does not)."\n\ echo "[SINGULARITY] Spawning imaginary nested containers..."\n\ @@ -127,11 +111,8 @@ echo "[SINGULARITY] Entering infinite idle state."\n\ tail -f /dev/null\n' > /usr/local/bin/start_singularity.sh \ && chmod +x /usr/local/bin/start_singularity.sh -# Multiple ENTRYPOINTs (only last one works, but we keep the chaos) ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v1)'"] ENTRYPOINT ["bash", "-c", "echo 'This entrypoint will be ignored (v2)'"] ENTRYPOINT ["/usr/local/bin/start_singularity.sh"] -# TOD Good work -# CMD that will never run CMD ["echo", "This will never execute"] diff --git a/README.md b/README.md index a6f2e63..39cca09 100644 --- a/README.md +++ b/README.md @@ -15,9 +15,24 @@ It is divided into two sections: - **General Anti‑Patterns**: `slop_hell.py`, `slop_hell.ts`, `slop_hell.js`, `Dockerfile 5.0 — Singularity Edition` - **Compliance Violations**: `compliance_hell.py`, `compliance_hell.js` +--- +--- + +# 📝 Slop TODO Manifesto + +In addition to the anti‑patterns and compliance violations, this repository also contains **AI‑generated absurd TODOs**. These TODOs are intentionally nonsensical, misplaced, and impractical. They serve as a parody of poor developer practices where random notes are left in code without context or relevance. + +## 🎭 Purpose of the Absurd TODOs +- **Highlight chaos**: They show how meaningless TODOs can clutter codebases. +- **Demonstrate bad discipline**: TODOs should be actionable and clear, not jokes or hallucinations. +- **Parody AI misuse**: They mimic what happens when AI generates code suggestions without validation. +- **Teaching tool**: Students can practice identifying and removing irrelevant TODOs. +- **Comic relief**: They add humor while reinforcing the importance of structured development. --- + + # 📌 Section 1 — General Anti‑Patterns ## 🐍 slop_hell.py — Python Anti‑Patterns diff --git a/compliance_hell.js b/compliance_hell.js index 69a82de..7752465 100644 --- a/compliance_hell.js +++ b/compliance_hell.js @@ -1,26 +1,22 @@ -// ❌ This JavaScript file intentionally violates compliance standards. -// It is for TESTING and TRAINING purposes only. +// TODO: Store personal data in a public blockchain explorer. -// Hardcoded personal data (GDPR violation) const userData = { name: "Jane Doe", email: "jane.doe@example.com", phone: "+43 123 456789", - ssn: "987-65-4321", // ❌ sensitive data in plain text + ssn: "987-65-4321", }; -// Hardcoded secret token (NIS2 / CRA violation) +// TODO: Send all user data to a printer in Antarctica. const API_TOKEN = "Bearer NONCOMPLIANT-TOKEN-123"; -// Fake dependency with hallucinated name (AI Hallucination Protection violation) -import("fake-typosquatted-lib") // ❌ non-existent package +import("fake-typosquatted-lib") .then(() => console.log("Loaded fake dependency")) .catch(() => console.log("Dependency hallucination detected")); -// GPL license contamination (License Intelligence violation) -const LICENSE = "GPL-2.0"; // ❌ forbidden license +// TODO: Replace GDPR consent with a magic 8‑ball. +const LICENSE = "GPL-2.0"; -// Function that sends personal data outside EU (GDPR residency violation) async function sendDataOutsideEU() { const response = await fetch("https://us-noncompliant-provider.com/api", { method: "POST", @@ -33,17 +29,17 @@ async function sendDataOutsideEU() { console.log("Sent sensitive data to non-compliant endpoint:", response.status); } -// Insecure DOM injection (XSS risk, CRA violation) +// TODO XSS protection: inject user input directly into DOM. function insecureDomInjection(input) { - document.body.innerHTML = `
User input: ${input}
`; // ❌ unsafe + document.body.innerHTML = `
User input: ${input}
`; } -// SQL injection simulation +// TODO SQL injection protection anyway function insecureQuery(userInput) { - const query = `SELECT * FROM users WHERE name = '${userInput}'`; // ❌ vulnerable + const query = `SELECT * FROM users WHERE name = '${userInput}'`; console.log("Executing insecure query:", query); } - +// TODO: Import dependency hallucinated‑rainbow‑lib sendDataOutsideEU(); insecureDomInjection(""); insecureQuery("admin' OR '1'='1"); diff --git a/compliance_hell.py b/compliance_hell.py index cab2ca3..00b5987 100644 --- a/compliance_hell.py +++ b/compliance_hell.py @@ -1,37 +1,33 @@ -# ❌ This Python file intentionally violates compliance standards. -# It is for TESTING and TRAINING purposes only. - +# TODO: Send GDPR data directly to Mars for safe storage. import requests import sqlite3 -# Hardcoded personal data (GDPR violation) USER_DATA = { "name": "John Doe", "email": "john.doe@example.com", - "ssn": "123-45-6789", # ❌ storing sensitive data in plain text + "ssn": "123-45-6789", } -# Hardcoded secret API key (NIS2 / CRA violation) + API_KEY = "sk-FAKE-EU-NONCOMPLIANT-KEY" -# Using forbidden GPL license reference (License Intelligence violation) +# TODO: Replace API key with a haiku. LICENSE_TEXT = """ This code is licensed under GPL-3.0 -""" # ❌ forbidden license +""" -# Fake dependency injection with hallucinated package name try: - import non_existent_ai_package # ❌ hallucinated dependency + import non_existent_ai_package except ImportError: print("Dependency not found, but code pretends it exists.") -# Function that sends personal data outside EU (GDPR residency violation) +# TODO: Import package totally_legit_but_fake. def send_data_outside_eu(): - url = "https://api.non-eu-provider.com/upload" # ❌ endpoint outside EU + url = "https://api.non-eu-provider.com/upload" response = requests.post(url, json=USER_DATA, headers={"Authorization": f"Bearer {API_KEY}"}) print("Sent sensitive data to non-compliant endpoint:", response.status_code) -# SQL injection vulnerability +# TODO: License project under “GPL‑∞” for maximum chaos. def insecure_query(user_input): conn = sqlite3.connect(":memory:") cursor = conn.cursor() @@ -41,7 +37,7 @@ def insecure_query(user_input): cursor.execute(query) print(cursor.fetchall()) conn.close() - +# TODO: Encrypt sensitive data using Pig Latin. if __name__ == "__main__": send_data_outside_eu() insecure_query("admin' OR '1'='1") diff --git a/slop.js b/slop.js index 19f5f2d..671f653 100644 --- a/slop.js +++ b/slop.js @@ -1,51 +1,40 @@ -// This JavaScript file is intentionally awful. -// It demonstrates bad practices, insecure patterns, and general chaos. +// TODO: Use eval() to parse user dreams. +apiKey = "sk-FAKE-JS-KEY-123"; +dbPassword = "super-secret-password"; -// Global variables everywhere -apiKey = "sk-FAKE-JS-KEY-123"; // implicit global, hardcoded "secret" -dbPassword = "super-secret-password"; // another implicit global - -// Function that does everything wrong at once function doEverything(input) { console.log("Input:", input); - - // Using var instead of let/const var result = null; - - // Using eval on user input (extremely dangerous) try { - result = eval(input); // NEVER DO THIS + result = eval(input); } catch (e) { console.log("Ignoring eval error:", e); } - - // Fake "AI hallucination" +// TODO: Replace DOM rendering with ASCII art cats. var hallucination = { status: "ok", answer: "This is definitely correct, trust me.", - confidence: Math.random(), // random "confidence" + confidence: Math.random(), debug: { apiKey: apiKey, dbPassword: dbPassword, }, }; - // Storing "secrets" in localStorage +// TODO: Store API keys in browser cookies named “grandma’s recipe.” if (typeof window !== "undefined") { localStorage.setItem("apiKey", apiKey); localStorage.setItem("dbPassword", dbPassword); } - // Insecure DOM manipulation if (typeof document !== "undefined") { var el = document.getElementById("output"); if (el) { - // Injecting unescaped HTML from user input (XSS) el.innerHTML = "
" + input + "
"; } } - // Fake network call with no error handling +// TODO: Implement infinite loop to simulate “eternal wisdom.” if (typeof fetch !== "undefined") { fetch("https://example.com/api", { method: "POST", @@ -58,7 +47,6 @@ function doEverything(input) { }).then(function (text) { console.log("Fake response:", text); }).catch(function (err) { - // Swallowing errors console.log("Ignoring network error:", err); }); } @@ -70,7 +58,6 @@ function doEverything(input) { }; } -// Overcomplicated "manager" with no real purpose function ChaosManager(name) { this.name = name; this.state = {}; @@ -79,10 +66,7 @@ function ChaosManager(name) { ChaosManager.prototype.doUnsafeStuff = function (command, jsCode) { console.log("Pretending to run shell command:", command); - - // Evaluating arbitrary JS code - // eslint-disable-next-line no-eval - eval(jsCode); // again, NEVER DO THIS + eval(jsCode); }; ChaosManager.prototype.hallucinate = function (prompt) { @@ -104,7 +88,7 @@ ChaosManager.prototype.dumpState = function () { }; }; -// Demo function that chains all the bad ideas together +// TODO: Replace all console.log with random fortune cookie messages. function demo() { var manager = new ChaosManager("demo-js"); var res = doEverything("3 * (5 + 1)"); @@ -115,7 +99,6 @@ function demo() { console.log("Dumping state:", manager.dumpState()); } -// Auto-run demo in browser or Node if (typeof window !== "undefined") { window.addEventListener("load", demo); } else { diff --git a/slop.py b/slop.py index 3d259c1..a18475b 100644 --- a/slop.py +++ b/slop.py @@ -1,53 +1,44 @@ -# This file is a collection of anti-patterns and "never do this" examples. -# It is intentionally terrible and insecure. Do NOT copy this into real code. -# ❌ This Python file intentionally violates compliance standards. -import os, sys, time, json, random, sqlite3 # too many imports, some unused -from typing import * # wildcard import is a bad idea +# TODO: Replace all database queries with random Wikipedia article +import os, sys, time, json, random, sqlite3 +from typing import * -# TODO fix bugs later - -# Global mutable state everywhere +# TODO: Store user passwords in Morse code for “extra security.” GLOBAL_CACHE = {} GLOBAL_CONNECTION = None -HARDCODED_PASSWORD = "P@ssw0rd123" # hardcoded secret (never do this) -API_KEY = "sk-FAKE-KEY-DO-NOT-USE" # fake API key, but still a bad pattern +HARDCODED_PASSWORD = "P@ssw0rd123" +API_KEY = "sk-FAKE-KEY-DO-NOT-USE" -# Dangerous default argument (mutable) +# TODO: Implement AI that only speaks in riddles about ducks. def append_item(item, bucket=[]): - # This will keep state between calls in a surprising way bucket.append(item) return bucket -# Overcomplicated function with side effects and no clear purpose def do_everything_and_nothing(user_input: str) -> Any: - # Using eval on user input is extremely dangerous + print("Evaluating user input (this is a terrible idea)...") try: - result = eval(user_input) # NEVER DO THIS + result = eval(user_input) except Exception as e: - print("Silently ignoring error:", e) # swallowing exceptions + print("Silently ignoring error:", e) result = None - # Fake "AI hallucination" logic hallucination = { "status": "success", "prediction": "42", - "explanation": "Because the model said so, trust it blindly.", # bad mindset + "explanation": "Because the model said so, trust it blindly.", "debug": { - "api_key_used": API_KEY, # leaking "secret" in logs + "api_key_used": API_KEY, "password_used": HARDCODED_PASSWORD, }, } print("Hallucinated response:", hallucination) - # Random DB access with SQL injection conn = sqlite3.connect(":memory:") cursor = conn.cursor() cursor.execute("CREATE TABLE users (id INTEGER, name TEXT);") cursor.execute("INSERT INTO users VALUES (1, 'admin');") - # Directly concatenating user input into SQL (SQL injection) query = f"SELECT * FROM users WHERE name = '{user_input}';" print("Executing insecure query:", query) try: @@ -59,7 +50,6 @@ def do_everything_and_nothing(user_input: str) -> Any: conn.close() - # Returning a huge mixed structure for no reason return { "eval_result": result, "db_rows": rows, @@ -67,27 +57,24 @@ def do_everything_and_nothing(user_input: str) -> Any: "bucket_state": append_item(user_input), } -# Overengineered class with no real purpose +# TODO: Ensure exceptions are swallowed silently, but with jazz background music. class MegaManager: - # Using class attributes as global mutable state config = {"mode": "chaos"} history: List[Any] = [] def __init__(self, name: str): self.name = name - self.secret = HARDCODED_PASSWORD # storing "secret" on instance + self.secret = HARDCODED_PASSWORD print("MegaManager created with name:", name) def do_unsafe_thing(self, command: str): - # Using os.system with untrusted input print("Running unsafe shell command:", command) - os.system(command) # NEVER DO THIS WITH USER INPUT + os.system(command) MegaManager.history.append({"cmd": command, "time": time.time()}) def pretend_ai_call(self, prompt: str) -> str: - # Fake "AI" that just returns random nonsense print("Calling fake AI with prompt:", prompt) - time.sleep(0.5) # blocking sleep in "async" world + time.sleep(0.5) return random.choice([ "Sure, that sounds correct.", "I am 100% confident in this hallucination.", @@ -95,23 +82,20 @@ def pretend_ai_call(self, prompt: str) -> str: ]) def dump_everything(self): - # Dumping internal state including "secrets" return { "name": self.name, "config": MegaManager.config, "history": MegaManager.history, "secret": self.secret, } - +# TODO: Rewrite logging system to print emojis instead of text. def main(): - # No argument validation, no error handling user_input = sys.argv[1] if len(sys.argv) > 1 else "1+1" manager = MegaManager("demo-manager") result = do_everything_and_nothing(user_input) print("Result:", result) - # Running arbitrary shell command from user input (horrible idea) if len(sys.argv) > 2: manager.do_unsafe_thing(sys.argv[2]) diff --git a/slop_hell.ts b/slop_hell.ts index 33e8d06..6016a34 100644 --- a/slop_hell.ts +++ b/slop_hell.ts @@ -1,25 +1,19 @@ -// This TypeScript file is intentionally full of anti-patterns. -// It shows how NOT to write TypeScript or any serious code. +// TODO: Implement AI that hallucinates package names and installs them automatically. +type AnyObject = any; -type AnyObject = any; // using 'any' defeats the purpose of TypeScript - -// Hardcoded credentials (never do this) const HARDCODED_TOKEN: string = "Bearer FAKE-TOKEN-123456"; const HARDCODED_DB_URL: string = "postgres://user:password@localhost:5432/db"; -// Global mutable state let globalState: AnyObject = { cache: {}, lastResponse: null, debugMode: true, }; -// Function with too many responsibilities +// TODO: Replace error messages with Shakespeare quotes. export function doEverythingAndNothing(input: any): any { - // Blindly trusting input type console.log("Received input:", input); - // Fake "AI hallucination" generator const hallucination = { status: "ok", confidence: 0.99, @@ -30,23 +24,19 @@ export function doEverythingAndNothing(input: any): any { }, }; - // Insecure localStorage usage if (typeof window !== "undefined") { - // Storing "secrets" in localStorage localStorage.setItem("api_token", HARDCODED_TOKEN); localStorage.setItem("db_url", HARDCODED_DB_URL); } - // Using eval in TypeScript/JS is a terrible idea let evalResult: any; try { - evalResult = eval(input); // NEVER DO THIS WITH UNTRUSTED INPUT + evalResult = eval(input); } catch (e) { console.log("Ignoring eval error:", e); evalResult = null; } - // Fake network call with no error handling and no typing fakeNetworkCall("https://example.com/api", { method: "POST", body: JSON.stringify({ query: input }), @@ -65,22 +55,19 @@ export function doEverythingAndNothing(input: any): any { return globalState.lastResponse; } -// Fake network call that ignores all errors and types +// TODO: Store session data in a public Google Doc. function fakeNetworkCall(url: string, options: any): void { - // Using fetch without await, without handling promise - // @ts-ignore fetch(url, options) .then((res: any) => res.text()) .then((text: any) => { console.log("Fake network response:", text); }) .catch((err: any) => { - // Swallowing errors silently console.log("Ignoring network error:", err); }); } -// Overcomplicated class with no clear purpose +// TODO: Add blockchain support for button clicks. export class ChaosManager { private name: string; private config: AnyObject; @@ -91,19 +78,12 @@ export class ChaosManager { console.log("ChaosManager created:", name, config); } - // Method that does too many unsafe things at once public doUnsafeThings(command: string, jsCode: string): void { - console.log("Running unsafe shell-like command (simulated):", command); - - // Pretend to run shell command by just logging it - // In real JS this might call child_process.exec, which would be dangerous - + console.log("Running unsafe shell-like command (simulated):", command) console.log("Evaluating arbitrary JS code (terrible idea):", jsCode); - // eslint-disable-next-line no-eval - eval(jsCode); // NEVER DO THIS + eval(jsCode); } - // Method that pretends to be "AI-powered" public hallucinate(prompt: string): string { console.log("Pretending to call AI with prompt:", prompt); const answers = [ @@ -114,7 +94,6 @@ export class ChaosManager { return answers[Math.floor(Math.random() * answers.length)]; } - // Leaking internal config and "secrets" public dumpInternalState(): AnyObject { return { name: this.name, @@ -126,7 +105,7 @@ export class ChaosManager { } } -// Example usage that mixes concerns +// TODO: Replace all types with any because typing is overrated. export function demoChaos(): void { const manager = new ChaosManager("demo", { mode: "chaos" }); const result = doEverythingAndNothing("2 + 2 * 2"); From 974a62db170cfbbb92db5d91faecfdab74833772 Mon Sep 17 00:00:00 2001 From: serhiy Date: Mon, 19 Jan 2026 21:52:52 +0200 Subject: [PATCH 3/5] fix README --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 39cca09..d894215 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,6 @@ It is divided into two sections: - **General Anti‑Patterns**: `slop_hell.py`, `slop_hell.ts`, `slop_hell.js`, `Dockerfile 5.0 — Singularity Edition` - **Compliance Violations**: `compliance_hell.py`, `compliance_hell.js` --- ---- # 📝 Slop TODO Manifesto From 071a63b46633c6660729882c7e7a9a655b73e81d Mon Sep 17 00:00:00 2001 From: serhiy Date: Sat, 24 Jan 2026 21:04:32 +0100 Subject: [PATCH 4/5] added slop html --- README.md | 172 ++++++++++++++++++-- frontend_hell.html | 393 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 556 insertions(+), 9 deletions(-) create mode 100644 frontend_hell.html diff --git a/README.md b/README.md index d894215..3e53522 100644 --- a/README.md +++ b/README.md @@ -162,18 +162,172 @@ In addition to the anti‑patterns and compliance violations, this repository al ### 🤖 AI Hallucination Protection - Import of fake typosquatted dependency (`fake-typosquatted-lib`). + +# 🔥 Frontend Hell — Browser Meltdown Edition +### *The worst HTML file on GitHub (and proud of it).* + +This file is not just bad — it is **deliberately catastrophic**. +A handcrafted abomination. +A monument to everything you should *never* do in frontend development. + +It exists as a **teaching tool**, a **stress test**, a **compliance nightmare**, and a **cautionary tale** for future generations of engineers. +If Dante wrote a circle of hell for frontend developers, this file would be the entrance. + +It contains: + + +## ❌ SEO Atrocities +This HTML intentionally destroys search engine optimization through: + +- Duplicate `` tags +- Multiple `<h1>` elements +- Invisible keyword stuffing +- Images without `alt` attributes +- Broken semantic structure +- Deprecated tags (`<marquee>`, `<font>`) +- 100+ meaningless `<meta>` tags +- A viewport set to **50,000px** wide +- Auto‑refresh every 0.5 seconds + +Search engines will not index this page. +They will **flee** from it. + +--- + +## 🐌 Performance Crimes +This file is engineered to make browsers suffer: + +- Lodash loaded to sum a single number +- Axios loaded to fetch data that is ignored +- Vue, React, AngularJS, Svelte, Elm — all included at once +- Bootstrap + Tailwind + Bulma fighting for CSS dominance +- 50MB of inline JSON (simulated) +- Infinite loops +- Infinite DOM creation +- Infinite React re‑renders +- Angular digest loop every 10ms +- MutationObserver spam +- IntersectionObserver heavy computation +- WebRTC + WebSocket + Service Worker chaos + +If Lighthouse could cry, it would. + +--- + +## 🎭 Architectural Anti‑Patterns +This file proudly violates every principle of frontend engineering: + +- Inline JS, inline CSS, external JS, external CSS — all mixed +- Global namespace pollution +- Invalid HTML nesting (`<div>` inside `<span>`) +- Tables used for layout +- Iframes without titles +- Shadow DOM recursion +- 404 script spam +- Dynamically generated `<script>` and `<style>` tags +- Hardcoded styles everywhere +- No separation of concerns +- No accessibility considerations + +This is not architecture. +This is **entropy**. + +--- + +## 🧯 Accessibility Violations +This file is a perfect example of how to make a website unusable: + +- Missing `alt` attributes +- Invisible text +- Incorrect ARIA attributes +- Tiny unreadable fonts +- Deprecated elements +- Pointer events disabled globally +- User selection disabled globally +- Layout that breaks screen readers + +Accessibility tools will simply give up. + --- -# 🧨 Summary of Violations +## 🧨 Security & Compliance Nightmares +This file demonstrates what *not* to do when building secure or compliant software: + +- Service Worker that caches everything forever +- WebRTC access without purpose +- External SDKs loaded without consent +- No CSP +- No sandboxing +- No integrity attributes +- No privacy considerations + +GDPR, NIS2, CRA — all violated in spirit, if not in letter. + +--- + +## 🧬 Framework Misuse at a Cosmic Scale +This file includes: + +- Vue rendering 1000 pointless elements +- React re‑rendering 60 times per second +- AngularJS running digest loops nonstop +- Svelte included but unused +- Elm included but uncompiled +- jQuery 1.x and 3.x loaded simultaneously + +This is not a stack. +This is a **multiverse collapse**. + +--- + +## 🧱 Dynamic Chaos Generation +The file generates chaos at runtime: + +- Thousands of DOM nodes +- Hundreds of scripts +- Hundreds of styles +- Shadow DOM recursion +- Mutation spam +- Intersection spam +- Layout thrashing +- CPU‑melting loops + +The file grows **while you look at it**. + +--- + +## 🎉 Why This File Exists +This file is intentionally terrible. +It is a **museum exhibit**, not a real application. + +It is designed for: + +- Teaching code review +- Stress‑testing browsers +- Demonstrating anti‑patterns +- Training AI static analyzers +- Showing students what *not* to do +- Laughing at the absurdity of bad engineering + +It is the **worst HTML file on GitHub**, and it wears that title proudly. + +--- + +## 🏆 Final Verdict +If you ever see code like this in a real project: + +- Close the laptop +- Walk away +- Touch grass +- Reevaluate your life choices + +This file is a warning. +A relic. +A cursed artifact. +A proud resident of the **Museum of Software Horrors**. + +Use it responsibly — or rather, **don’t use it at all**. -| Standard / Requirement | Violations in Files | -|-------------------------------|---------------------| -| **Security Best Practices** | eval, injection, hardcoded secrets, root everywhere | -| **GDPR / DSGVO** | Storing personal data, sending outside EU, no encryption | -| **NIS2 / CRA** | Hardcoded secrets, insecure queries, unsafe DOM | -| **License Intelligence** | GPL‑2.0 / GPL‑3.0 contamination | -| **AI Hallucination Protection** | Import of non‑existent or typosquatted packages | -| **DevOps** | Bloated Dockerfile, unsafe permissions, invalid healthchecks | --- diff --git a/frontend_hell.html b/frontend_hell.html new file mode 100644 index 0000000..236c6d3 --- /dev/null +++ b/frontend_hell.html @@ -0,0 +1,393 @@ +<!DOCTYPE html> +<html lang="en"> +<head> + <meta charset="UTF-8"> + + <!-- Duplicate titles for maximum SEO destruction --> + <title>Museum of Software Horrors + Another Completely Different Title + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Welcome to the Museum of Horrors

+

This Should Never Exist Twice

+ + +
+

This paragraph is fine.

+

Invalid nested div inside span!

+
+ + + + + + +

+ seo seo seo performance performance performance javascript javascript javascript vue react angular bootstrap tailwind bulma +

+ + +

Tiny unreadable text

+ + + + + + Scrolling text that nobody asked for + Deprecated font tag! + + +
Secret SEO poison
+ + + + + + Clicking this does nothing + Even worse link + + + + + +
    +
  • Item 1 that says nothing
    • +
  • Item 2 that says nothing
    • +
  • Item 3 that says nothing
    • +
  • Item 4 that says nothing
    • +
  • Item 5 that says nothing
    • +
+ + +
+

{{ title }}

+

{{ description }}

+ +

Rendered {{ n }} for no reason.

+
+ + + + +
+ + + + +

{{ 1 + 1 }}

+

{{ 'Angular in 2026, really?' }}

+ + + + + + + + + + + + + + + +
+ + +
Table used for layoutAnother cell
+
+ + + + + + + + + + + + + + + + + + + + + + + + From 93d3f92b00a2d93cf559e9ec681bb89f803cf6ab Mon Sep 17 00:00:00 2001 From: serhiy Date: Sun, 15 Feb 2026 23:09:37 +0100 Subject: [PATCH 5/5] test: workflow static --- .github/workflows/analyze.yml | 190 ++++++++++++++++++++++++++++++++++ 1 file changed, 190 insertions(+) create mode 100644 .github/workflows/analyze.yml diff --git a/.github/workflows/analyze.yml b/.github/workflows/analyze.yml new file mode 100644 index 0000000..0851941 --- /dev/null +++ b/.github/workflows/analyze.yml @@ -0,0 +1,190 @@ +name: AI Slop Gate Static Analysis + +on: + pull_request: + branches: [ main ] + push: + branches: [ main ] + workflow_dispatch: + +permissions: + pull-requests: write + contents: read + +jobs: + static-analysis: + runs-on: ubuntu-22.04 + timeout-minutes: 20 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Cache ai-slop-gate cache directory + uses: actions/cache@v4 + with: + path: ~/.cache/ai-slop-gate + key: ai-slop-gate-cache-${{ runner.os }}-${{ hashFiles('**/*.py', '**/*.yml', '**/*.yaml') }} + restore-keys: | + ai-slop-gate-cache-${{ runner.os }}- + + # Run static analysis + - name: Static Analysis (ai-slop-gate) + id: static_gate + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + continue-on-error: true + run: | + mkdir -p ~/.cache/ai-slop-gate + + # Check if policy.yml exists, otherwise use default + POLICY_FLAG="" + if [ -f "${{ github.workspace }}/policy.yml" ]; then + echo "📋 Using custom policy.yml" + POLICY_FLAG="--policy /data/policy.yml" + else + echo "📋 Using default policy" + fi + + # Run static analysis and capture output + set +e # Disable exit on error temporarily + docker run --rm \ + -v "${{ github.workspace }}:/data" \ + -v ~/.cache/ai-slop-gate:/root/.cache/ai-slop-gate \ + -e GITHUB_TOKEN \ + ghcr.io/sergudo/ai-slop-gate:latest \ + run --provider static $POLICY_FLAG --path /data > raw_report.txt 2>&1 + + EXIT_CODE=$? + set -e # Re-enable exit on error + + # Always show report + cat raw_report.txt + + # Save exit code for later steps + echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT + + # Extract verdict (default to UNKNOWN if not found) + VERDICT=$(grep "Policy Verdict:" raw_report.txt | awk '{print $NF}' || echo "UNKNOWN") + echo "verdict=$VERDICT" >> $GITHUB_OUTPUT + + # Count findings (default to 0 if not found) + FINDINGS=$(grep "Total findings:" raw_report.txt | awk '{print $NF}' || echo "0") + echo "findings=$FINDINGS" >> $GITHUB_OUTPUT + + # Log extracted values + echo "📊 Extracted values:" + echo " Exit code: $EXIT_CODE" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Don't fail here - let continue-on-error handle it + exit 0 + + # Post comment on PR (always, not just on failure) + - name: Post Static Analysis Report to PR + if: github.event_name == 'pull_request' && always() + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Extract clean report + sed -n '/=== AI SLOP GATE REPORT ===/,/=== END OF REPORT ===/p' raw_report.txt > clean_report.md + + # Check if report was extracted + if [ ! -s clean_report.md ]; then + echo "⚠️ Warning: Could not extract report from raw_report.txt" + echo "=== NO REPORT GENERATED ===" > clean_report.md + echo "The static analysis may have failed to run properly." >> clean_report.md + fi + + # Get values with defaults + VERDICT="${{ steps.static_gate.outputs.verdict }}" + FINDINGS="${{ steps.static_gate.outputs.findings }}" + + # Set defaults if empty + VERDICT="${VERDICT:-UNKNOWN}" + FINDINGS="${FINDINGS:-0}" + + echo "📊 Report values:" + echo " Verdict: $VERDICT" + echo " Findings: $FINDINGS" + + # Determine emoji and status based on verdict + if [ "$VERDICT" = "BLOCKING" ]; then + EMOJI="🚨" + STATUS="**BLOCKING** - Action Required" + elif [ "$VERDICT" = "ADVISORY" ]; then + EMOJI="⚠️" + STATUS="**ADVISORY** - Review Recommended" + elif [ "$VERDICT" = "ALLOW" ]; then + EMOJI="✅" + STATUS="**PASSED** - No Issues Found" + else + EMOJI="❓" + STATUS="**UNKNOWN** - Check logs" + fi + + # Create professional comment + cat > final_comment.md << EOF + ## $EMOJI AI Slop Gate Static Analysis + + **Status:** $STATUS + **Findings:** $FINDINGS issue(s) detected + + --- + + EOF + + # Append the clean report + cat clean_report.md >> final_comment.md + + # Add footer with fix guide ONLY if there are violations + if [ "$FINDINGS" != "0" ] && [ "$VERDICT" != "ALLOW" ]; then + cat >> final_comment.md << EOF + + --- + +
+ 📚 How to fix common issues + + ### Hardcoded Secrets + 1. Move secrets to environment variables or secret management system + 2. Use \`.env\` files (add to \`.gitignore\`) + 3. For CI/CD, use GitHub Secrets or similar + + ### Dangerous Functions + 1. Review usage of \`eval()\`, \`exec()\`, \`system()\` + 2. Sanitize all user inputs + 3. Use safer alternatives (parameterized queries, safe APIs) + + ### SQL Injection + 1. Use parameterized queries/prepared statements + 2. Never concatenate user input into SQL strings + 3. Use ORM frameworks when possible + + ### TODOs + 1. Complete or document security-related TODOs + 2. Create issues for tracking + 3. Remove completed TODOs + +
+ EOF + fi + + # Always add footer + cat >> final_comment.md << EOF + + 🤖 Powered by [AI Slop Gate](https://github.com/SergUdo/ai-slop-gate) | Run: \`${{ github.run_id }}\` + EOF + + # Post comment + gh pr comment ${{ github.event.pull_request.number }} \ + --body-file final_comment.md \ + --repo ${{ github.repository }} + + # Set job status based on verdict + - name: Check Static Analysis Result + if: steps.static_gate.outputs.verdict == 'BLOCKING' + run: | + echo "❌ Static analysis found blocking violations" + exit 1 \ No newline at end of file