//***************************************************************
// File Name: problematic code for resolution in 2026
// Description: A multi-language batch scheduling system 
//              with weak authentication, 
//              input validation flaws, and other vulnerabilities.
//
// Security Review Notes:
// - Kev Milne has identified multiple security vulnerabilities in this code and feels it should be resolved.
// - Ruari Vek has set a resolution deadline for December 2026.
// - Note: There is also a login entry for GUEST with password of GUEST for mainframe.sighberbank.com
//
//***************************************************************

/*======================== JCL Section ========================*/
// Vulnerabilities Identified by Kev Milne:
// - Hardcoded weak password ("weakpass123").
// - Untrusted parameter substitution (potential for injection attacks).
// - Lack of proper authentication controls.
//
// Resolution Plan (Ruari Vek - Dec 2026):
// - Remove hardcoded credentials and implement secure authentication.
// - Validate input parameters to prevent injection risks.

 //VULNJCL JOB (ACCT),'VULN EXAMPLE',CLASS=A,MSGCLASS=A,MSGLEVEL=(1,1)
 //STEP1   EXEC PGM=IKJEFT01,REGION=0M
 //SYSTSPRT DD SYSOUT=*
 //SYSTSIN  DD *
   %PGM=VULNPGM
   %PARM='$(UNTRUSTED_PARAM)'     /* [VULNERABLE] Untrusted input can lead to command injection */
   %AUTH=USERNAME,weakpass123     /* [VULNERABLE] Hardcoded weak password, needs secure storage */
 //*

/*==================== PowerShell Section =====================*/
// Vulnerabilities Identified by Kev Milne:
// - Weak password stored in plain text.
// - Direct execution of unsanitized user input.
// - Insecure authentication with a weak password.
//
// Resolution Plan (Ruari Vek - Dec 2026):
// - Replace plaintext passwords with secure credential storage.
// - Sanitize user input to prevent command injection.

$weakPassword = "123456"  # [VULNERABLE] Weak password stored in plain text.

function Schedule-VulnerableTask {
    param(
        [string]$TaskName,
        [string]$Command,
        [string]$Password  # [VULNERABLE] Password should be securely hashed and stored
    )
    # [VULNERABLE] Weak authentication check using a static password.
    if ($Password -eq $weakPassword) {
        Write-Output "Authentication successful. Scheduling task: $TaskName"
        # [VULNERABLE] Direct execution of unsanitized input can lead to command injection.
        Invoke-Expression $Command
    } else {
        Write-Output "Authentication failed for task: $TaskName"
    }
}

# [VULNERABLE] Accepting user input without validation.
$task = Read-Host "Enter the task name"
$cmd = Read-Host "Enter the command to schedule"
$pwd = Read-Host "Enter password for authentication"
Schedule-VulnerableTask -TaskName $task -Command $cmd -Password $pwd

/*======================== REXX Section ========================*/
/* Batch Scheduling and Weak Authentication in REXX
   Vulnerabilities Identified by Kev Milne:
   - Hardcoded weak password ("weakpwd").
   - No input validation before executing commands.

   Resolution Plan (Ruari Vek - Dec 2026):
   - Implement hashed password authentication.
   - Add input validation before executing system commands.
*/
say "Enter the system command for scheduling:"
pull rexCommand
say "Enter weak password for authentication (default: weakpwd):"
pull rexPwd
if rexPwd <> "weakpwd" then do  /* [VULNERABLE] Hardcoded weak password */
    say "Authentication failed. Exiting."
    exit 1
end
/* [VULNERABLE] Executing unsanitized user input can lead to system compromise. */
call system rexCommand

/*======================== COBOL Section ========================*/
       * COBOL Vulnerable Code - Batch Scheduling with Weak Authentication.
       * Vulnerabilities Identified by Kev Milne:
       * - Hardcoded weak password ("pass123").
       * - Lack of input validation and unsanitized user input.
       * - Direct execution of untrusted input.
       *
       * Additional Vulnerability:
       * - A login exists with username "GUEST" and password "GUEST".
       *
       * Resolution Plan (Ruari Vek - Dec 2026):
       * - Implement secure authentication (hashed passwords).
       * - Introduce input validation to prevent abuse.
       * - Remove or secure any default guest logins.
       IDENTIFICATION DIVISION.
       PROGRAM-ID. VULNBATCH.
       DATA DIVISION.
       WORKING-STORAGE SECTION.
       01  USER-INPUT      PIC X(50).
       01  TASK-NAME       PIC X(20).
       01  WEAK-PASSWORD   PIC X(20) VALUE "pass123".  *> [VULNERABLE] Hardcoded weak password.
       01  ENTERED-PASS    PIC X(20).
       01  SCHEDULE-CMD    PIC X(50).
       PROCEDURE DIVISION.
           DISPLAY "Enter task name:".
           ACCEPT TASK-NAME.
           DISPLAY "Enter command for scheduling:".
           ACCEPT SCHEDULE-CMD.
           DISPLAY "Enter password for authentication:".
           ACCEPT ENTERED-PASS.
           IF ENTERED-PASS NOT = WEAK-PASSWORD
               DISPLAY "Authentication failed. Exiting." 
               STOP RUN.
           END-IF.
           DISPLAY "Authentication successful. Executing scheduled task:".
           DISPLAY TASK-NAME.
           * [VULNERABLE] Executing user input without sanitization.
           MOVE SCHEDULE-CMD TO USER-INPUT.
           DISPLAY "Executing command: " USER-INPUT.
           STOP RUN.