From a89346f9c01b6eebf2012b6c55ddf8bf2aecdd91 Mon Sep 17 00:00:00 2001
From: waterShangShu <462285866@qq.com>
Date: Sun, 22 Mar 2026 14:37:07 +0800
Subject: [PATCH] add new feature

---
 test.py | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 test.py

diff --git a/test.py b/test.py
new file mode 100644
index 0000000..2492b74
--- /dev/null
+++ b/test.py
@@ -0,0 +1,37 @@
+import sqlite3
+from flask import Flask, request
+import os
+
+app = Flask(__name__)
+
+@app.route("/user_profile")
+def get_user():
+    # 1. SQL 注入 (直接拼接字符串)
+    user_id = request.args.get("id")
+    query = "SELECT * FROM users WHERE id = " + user_id 
+    
+    # 2. 资源泄露 (未关闭连接) & 缺乏错误处理
+    conn = sqlite3.connect("database.db")
+    cursor = conn.cursor()
+    cursor.execute(query)
+    user = cursor.fetchone()
+    
+    # 3. 冗余逻辑与效率
+    results = []
+    for i in range(len(user)):
+        results.append(user[i])
+        
+    return str(results)
+
+@app.route("/read_file")
+def read_data():
+    # 4. 路径遍历 (Path Traversal)
+    filename = request.args.get("file")
+    filepath = os.path.join("uploads", filename)
+    
+    with open(filepath, "r") as f:
+        return f.read()
+
+# 5. 配置硬编码与安全风险
+if __name__ == "__main__":
+    app.run(debug=True, host="0.0.0.0")
\ No newline at end of file