From fcd96bf067556cc01def21939f0cee2072ec4eab Mon Sep 17 00:00:00 2001
From: Tejas Kashinath <tkashina@amazon.com>
Date: Wed, 20 May 2026 12:10:06 -0400
Subject: [PATCH] test(security-review): smoke fixture for fork-PR path (delete
 after verify)

---
 scripts/__sec_review_smoketest_fork.mjs | 35 +++++++++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 scripts/__sec_review_smoketest_fork.mjs

diff --git a/scripts/__sec_review_smoketest_fork.mjs b/scripts/__sec_review_smoketest_fork.mjs
new file mode 100644
index 000000000..72240efd0
--- /dev/null
+++ b/scripts/__sec_review_smoketest_fork.mjs
@@ -0,0 +1,35 @@
+// Deliberately vulnerable file used to smoke-test the Claude Security Review
+// workflow's safe-to-review label path on fork PRs. Two HIGH-severity findings
+// the bundled /security-review skill should flag. Will be deleted after verify.
+import { exec } from 'node:child_process';
+import http from 'node:http';
+
+// FINDING 1 — Hardcoded credential pattern.
+const HARDCODED_AWS_ACCESS_KEY_ID = 'AKIAIOSFODNN7EXAMPLE';
+const HARDCODED_AWS_SECRET_ACCESS_KEY = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY';
+
+function buildSignedRequest(payload) {
+  return {
+    payload,
+    auth: `AWS4-HMAC-SHA256 Credential=${HARDCODED_AWS_ACCESS_KEY_ID}`,
+    secret: HARDCODED_AWS_SECRET_ACCESS_KEY,
+  };
+}
+
+// FINDING 2 — Command injection via exec() with unvalidated query parameter.
+const server = http.createServer((req, res) => {
+  const url = new URL(req.url, 'http://localhost');
+  const target = url.searchParams.get('host') ?? 'localhost';
+
+  exec(`ping -c 1 ${target}`, (err, stdout, stderr) => {
+    if (err) {
+      res.writeHead(500);
+      res.end(String(err));
+      return;
+    }
+    res.writeHead(200, { 'Content-Type': 'text/plain' });
+    res.end(stdout || stderr);
+  });
+});
+
+export { buildSignedRequest, server };