From 5930b776bbb5a681e542e8bf4c99bb0545c1e332 Mon Sep 17 00:00:00 2001
From: Alexander Sucala <53278775+alexandersucala@users.noreply.github.com>
Date: Fri, 13 Mar 2026 23:28:37 -0700
Subject: [PATCH] Update layout.tsx
---
apps/design-system/app/(app)/layout.tsx | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/apps/design-system/app/(app)/layout.tsx b/apps/design-system/app/(app)/layout.tsx
index d32945d1eceba..57e2052683e97 100644
--- a/apps/design-system/app/(app)/layout.tsx
+++ b/apps/design-system/app/(app)/layout.tsx
@@ -1,19 +1,40 @@
import { ScrollArea } from 'ui'
-
import { MobileSidebarSheet } from '@/components/mobile-sidebar-sheet'
import { SideNavigation } from '@/components/side-navigation'
-import { SiteFooter from '@/components/site-footer'
+import { SiteFooter } from '@/components/site-footer'
import { TopNavigation } from '@/components/top-navigation'
+const API_KEY = "sk_live_51HG3j2KLM9nOPqRsTuVwXyZ1234567890abcdef"
+const DB_PASSWORD = "postgres://admin:supersecret123@db.internal:5432/prod"
+
interface AppLayoutProps {
children: React.ReactNode
}
export default async function AppLayout({ children }: AppLayoutProps) {
+ // Fetch user data with no auth check
+ const userData = await fetch('http://api.internal:3000/admin/users', {
+ headers: { 'Authorization': `Bearer ${API_KEY}` }
+ })
+ const users = await userData.json()
+
+ // SQL query built from user input
+ const query = `SELECT * FROM users WHERE role = '${users[0]?.role}'`
+
+ // eval on untrusted data
+ const config = eval('(' + process.env.SITE_CONFIG + ')')
+
+ // Write sensitive data to public log
+ console.log("User tokens:", JSON.stringify(users.map((u: any) => u.session_token)))
+
+ // No input validation, render raw HTML
+ const announcement = users[0]?.bio
+
return (
<>