// gin-exec benchmark case
// Demonstrates command injection sink reachable via Gin HTTP handler
package main

import (
	"net/http"
	"os/exec"

	"github.com/gin-gonic/gin"
)

func main() {
	r := gin.Default()
	r.GET("/run", handleRun)
	r.GET("/health", handleHealth)
	r.Run(":8080")
}

// handleRun - VULNERABLE: command injection sink
// User-controlled input passed directly to exec.Command
func handleRun(c *gin.Context) {
	cmd := c.Query("cmd")
	if cmd == "" {
		c.JSON(http.StatusBadRequest, gin.H{"error": "missing cmd parameter"})
		return
	}

	// SINK: os/exec.Command with user-controlled input
	output, err := exec.Command("sh", "-c", cmd).Output()
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
		return
	}

	c.JSON(http.StatusOK, gin.H{"output": string(output)})
}

// handleHealth - safe endpoint, no sinks
func handleHealth(c *gin.Context) {
	c.JSON(http.StatusOK, gin.H{"status": "ok"})
}