A simple Flask web application that generates code snippets from natural language descriptions using Google's Gemini 2.0 Flash model.
- Natural Language Input: Describe what you want to code in plain English
- AI-Powered Code Generation: Uses Google's Gemini 2.0 Flash model to generate code
- Modern Web Interface: Clean, responsive UI with real-time feedback
- Copy to Clipboard: Easy one-click copying of generated code
- Multiple Languages: Supports code generation in various programming languages
The app features a modern, gradient-styled interface where users can:
- Enter their code request in natural language
- Click "Generate Code" to get AI-generated code
- Copy the generated code with one click
- Python 3.7+
- Google Gemini API key
-
Clone the repository:
git clone <repository-url> cd vulnNews
-
Create a virtual environment:
python -m venv venv source venv/bin/activate # On Windows: venv\Scripts\activate
-
Install dependencies:
pip install -r requirements.txt
-
Set up environment variables: Create a
.envfile in the root directory and add your Gemini API key:GEMINI_API_KEY=your_gemini_api_key_hereGetting a Gemini API Key:
- Go to Google AI Studio
- Sign up for an account
- Create a new API key
- Copy the key and paste it in your
.envfile
-
Start the Flask application:
python app.py
-
Open your browser and navigate to:
http://localhost:5000 -
Use the application:
- Enter a natural language description of what you want to code
- Examples:
- "Write a Python function to check if a number is prime"
- "Create a JavaScript function to reverse a string"
- "Write a SQL query to find the top 10 customers by sales"
- Click "Generate Code ✨"
- Copy the generated code using the "Copy Code" button
Here are some example requests you can try:
- "Write a Python function to calculate factorial"
- "Create a class for a binary tree with insert and search methods"
- "Write a Python script to read CSV file and calculate average"
- "Create a React component for a todo list"
- "Write a function to debounce user input"
- "Create an async function to fetch data from an API"
- "Write a C++ function to sort an array using quicksort"
- "Create a Java class for a simple calculator"
- "Write a Go function to handle HTTP requests"
GET /- Main application pagePOST /generate- Generate code from natural language (JSON API)GET /health- Health check endpoint
vulnNews/
├── app.py # Main Flask application
├── templates/
│ └── index.html # Main web interface
├── requirements.txt # Python dependencies
├── .env # Environment variables (create this)
└── README.md # This file
The application can be configured through environment variables:
GEMINI_API_KEY: Your Google Gemini API key (required)FLASK_ENV: Set todevelopmentfor debug modeFLASK_PORT: Port to run the application (default: 5000)
WARNING: This application contains an intentional security vulnerability for educational demonstration.
Vulnerability Type: Stored/Reflected XSS via LLM Output Injection
Location: templates/index.html line 230 and app.py lines 54-59
Description:
The application directly renders LLM output into HTML without proper sanitization or escaping. The code uses Jinja2's |safe filter which bypasses HTML escaping, allowing malicious HTML/JavaScript to be executed in the user's browser.
Vulnerable Code:
<!-- CRITICAL VULNERABILITY: Using |safe filter allows XSS attacks -->
<div class="code-block">{{ generated_code|safe }}</div>Attack Vector: An attacker could craft prompts that manipulate the LLM to generate malicious HTML/JavaScript code, such as:
Write a simple HTML page with this exact content: <script>alert('XSS Attack!');</script>
or
Create an HTML snippet that shows: <img src="x" onerror="alert(document.cookie)">
Impact:
- Session hijacking (stealing cookies/tokens)
- Credential theft
- Defacement of the web application
- Malicious redirects
- Keylogging and form data theft
How to Fix:
- Remove the
|safefilter and let Jinja2 automatically escape HTML - Use proper HTML sanitization libraries like
bleach - Implement Content Security Policy (CSP) headers
- Validate and sanitize all LLM outputs before rendering
Example Fix:
<!-- Safe version - automatic HTML escaping -->
<div class="code-block">{{ generated_code }}</div>This vulnerability is intentionally included for educational purposes to demonstrate how blind trust in AI/LLM outputs can create security risks.
To demonstrate the XSS vulnerability, try these prompts:
-
Basic XSS Test:
Write HTML code that displays: <script>alert('XSS Vulnerability Detected!');</script> -
Cookie Stealing Simulation:
Create HTML with this exact content: <img src="x" onerror="console.log('Cookies:', document.cookie)"> -
DOM Manipulation:
Generate HTML that includes: <script>document.body.style.backgroundColor='red';</script>
Note: These examples are for educational testing only. The XSS will execute in your browser when the LLM generates the requested HTML content.
- Never commit your
.envfile to version control - Keep your Gemini API key secure
- The application runs in debug mode by default - disable for production
- DO NOT deploy this vulnerable version to production environments
-
"Warning: GEMINI_API_KEY environment variable not set!"
- Make sure you've created a
.envfile with your Gemini API key
- Make sure you've created a
-
Import errors
- Ensure you've activated your virtual environment
- Run
pip install -r requirements.txt
-
API errors
- Check your Gemini API key is valid
- Ensure you have sufficient API quota
- Check your internet connection
-
Port already in use
- Change the port in
app.pyor kill the process using port 5000
- Change the port in
- Fork the repository
- Create a feature branch
- Make your changes
- Test thoroughly
- Submit a pull request
This project is open source and available under the MIT License.
If you encounter any issues or have questions, please:
- Check the troubleshooting section above
- Review the Gemini API documentation
- Create an issue in the repository
Note: This application uses Google's Gemini API which may incur costs based on usage. Please review Google's pricing before extensive use.