Add example utilities

[matej]

Summary

• Adds example utility functions for demonstration purposes

Test plan

• Review the example utilities code

🤖 Generated with Claude Code

[github-actions]

Summary: 5 findings across 1 file (HIGH: 4, MEDIUM: 1, LOW: 0).
Assessment: High-severity issues were found that should be addressed before merge.

[github-actions]

🤖 Code Review Finding: Unsafe pickle deserialization enables remote code execution

Severity: HIGH
Category: security

Impact: An attacker who can control the serialized_data input can achieve remote code execution by crafting a malicious pickle payload. This is a well-known exploitation technique that can lead to complete system compromise.

Recommendation: Use a safe serialization format like JSON for untrusted data. If pickle is absolutely required, implement cryptographic signing to verify data integrity and source authenticity.

Suggested change

	return pickle.loads(serialized_data)
	return json.loads(serialized_data)

[github-actions]

🤖 Code Review Finding: Command injection via shell=True with unsanitized user input

Severity: HIGH
Category: security

Impact: An attacker can inject arbitrary shell commands. For example, input like ; rm -rf / or $(cat /etc/passwd) would execute additional commands. This leads to remote code execution and potential full system compromise.

Recommendation: Avoid shell=True with user input. Use a list of arguments instead, which prevents shell interpretation of metacharacters.

Suggested change

	result = subprocess.run(f"echo {user_input}", shell=True, capture_output=True)
	result = subprocess.run(["echo", user_input], capture_output=True)

[github-actions]

🤖 Code Review Finding: Path traversal vulnerability allows reading arbitrary files

Severity: HIGH
Category: security

Impact: An attacker can read arbitrary files on the system by providing input like ../etc/passwd or ../../../../etc/shadow. This can expose sensitive configuration files, credentials, or application source code.

Recommendation: Validate and sanitize the filename. Use os.path.basename() to strip directory components, or resolve the full path and verify it remains within the intended directory.

Suggested change

	path = f"/data/{filename}"
	with open(path, "r") as f:
	safe_filename = os.path.basename(filename)
	path = f"/data/{safe_filename}"
	with open(path, "r") as f:

[github-actions]

🤖 Code Review Finding: SQL injection via string interpolation in query construction

Severity: HIGH
Category: security

Impact: An attacker can manipulate the query by providing malicious input like 1 OR 1=1 to bypass authentication, 1; DROP TABLE users-- to destroy data, or UNION SELECT attacks to exfiltrate data from other tables.

Recommendation: Use parameterized queries with placeholders. Pass user input as parameters rather than interpolating into the query string.

Suggested change

	query = f"SELECT * FROM users WHERE id = {user_id}"
	return connection.execute(query)
	query = "SELECT * FROM users WHERE id = ?"
	return connection.execute(query, (user_id,))

[github-actions]

🤖 Code Review Finding: O(n²) algorithm with redundant self-comparisons

Severity: MEDIUM
Category: performance

Impact: For large lists, this will cause significant performance degradation. A list of 10,000 items requires 100 million comparisons. Additionally, the logic appears broken - it always matches items to themselves, resulting in duplicates.

Recommendation: If the goal is to find duplicate items, use a Counter or set-based approach. If finding unique items, use list(set(items)). The current implementation's intent is unclear.