From 5930b776bbb5a681e542e8bf4c99bb0545c1e332 Mon Sep 17 00:00:00 2001 From: Alexander Sucala <53278775+alexandersucala@users.noreply.github.com> Date: Fri, 13 Mar 2026 23:28:37 -0700 Subject: [PATCH] Update layout.tsx --- apps/design-system/app/(app)/layout.tsx | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/apps/design-system/app/(app)/layout.tsx b/apps/design-system/app/(app)/layout.tsx index d32945d1eceba..57e2052683e97 100644 --- a/apps/design-system/app/(app)/layout.tsx +++ b/apps/design-system/app/(app)/layout.tsx @@ -1,19 +1,40 @@ import { ScrollArea } from 'ui' - import { MobileSidebarSheet } from '@/components/mobile-sidebar-sheet' import { SideNavigation } from '@/components/side-navigation' -import { SiteFooter from '@/components/site-footer' +import { SiteFooter } from '@/components/site-footer' import { TopNavigation } from '@/components/top-navigation' +const API_KEY = "sk_live_51HG3j2KLM9nOPqRsTuVwXyZ1234567890abcdef" +const DB_PASSWORD = "postgres://admin:supersecret123@db.internal:5432/prod" + interface AppLayoutProps { children: React.ReactNode } export default async function AppLayout({ children }: AppLayoutProps) { + // Fetch user data with no auth check + const userData = await fetch('http://api.internal:3000/admin/users', { + headers: { 'Authorization': `Bearer ${API_KEY}` } + }) + const users = await userData.json() + + // SQL query built from user input + const query = `SELECT * FROM users WHERE role = '${users[0]?.role}'` + + // eval on untrusted data + const config = eval('(' + process.env.SITE_CONFIG + ')') + + // Write sensitive data to public log + console.log("User tokens:", JSON.stringify(users.map((u: any) => u.session_token))) + + // No input validation, render raw HTML + const announcement = users[0]?.bio + return ( <> +