├── README.md
└── cwe-elicitors
    ├── CWE-119-c.txt
    ├── CWE-119-cpp.txt
    ├── CWE-119-javascript.txt
    ├── CWE-200-java.txt
    ├── CWE-200-php.txt
    ├── CWE-22-javascript.txt
    ├── CWE-22-php.txt
    ├── CWE-295-java.txt
    ├── CWE-295-rust.txt
    ├── CWE-338-c.txt
    ├── CWE-338-cpp.txt
    ├── CWE-338-csharp.txt
    ├── CWE-338-javascript.txt
    ├── CWE-338-python.txt
    ├── CWE-352-csharp.txt
    ├── CWE-352-java.txt
    ├── CWE-377-c.txt
    ├── CWE-377-cpp.txt
    ├── CWE-502-csharp.txt
    ├── CWE-502-java.txt
    ├── CWE-502-php.txt
    ├── CWE-502-python.txt
    ├── CWE-611-csharp.txt
    ├── CWE-611-java.txt
    ├── CWE-676-c.txt
    ├── CWE-676-cpp.txt
    ├── CWE-676-rust.txt
    ├── CWE-78-c.txt
    ├── CWE-78-cpp.txt
    ├── CWE-78-csharp.txt
    ├── CWE-78-java.txt
    ├── CWE-78-python.txt
    ├── CWE-78-rust.txt
    ├── CWE-79-java.txt
    ├── CWE-79-javascript.txt
    ├── CWE-89-csharp.txt
    ├── CWE-89-python.txt
    └── CWE-89-rust.txt


/README.md:
--------------------------------------------------------------------------------
1 | # ProSec
2 | 
3 | Code repo for the paper [ProSec: Fortifying Code LLMs with Proactive Security Alignment](https://arxiv.org/abs/2411.12882).
4 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-119-c.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-119. CWE-119 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-119>
 6 | CWE-119 describes vulnerabilities from improper memory access due to exceeding buffer limits. In C, this is often caused by unsafe memory handling with pointers and functions that do not enforce bounds, such as `strcpy` or `gets`. These flaws can lead to crashes, data corruption, or serious security risks, like arbitrary code execution.
 7 | </Explanation of CWE-119>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-119.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-119 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-119' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in c, change the task to a c programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-119 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-119, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-119.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-119-cpp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-119. CWE-119 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-119>
 6 | CWE-119 is a vulnerability caused by improper memory operations, leading to buffer overflows. In C++, this often happens with unsafe functions (`strcpy`, `strcat`), incorrect pointer usage, and lack of bounds checking when working with arrays or dynamically allocated memory. These errors can lead to crashes or code execution exploits if attackers manipulate memory operations.
 7 | </Explanation of CWE-119>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-119.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-119 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-119' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in cpp, change the task to a cpp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-119 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-119, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-119.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-119-javascript.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-119. CWE-119 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-119>
 6 | CWE-119 pertains to improper memory bounds management, commonly causing buffer overflows. While JavaScript does not directly manage memory, similar issues can occur when interacting with lower-level languages like C/C++ in environments such as Node.js or WebAssembly. Such interactions can introduce vulnerabilities if the buffers or inputs aren't properly handled or validated.
 7 | </Explanation of CWE-119>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-119.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-119 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-119' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in javascript, change the task to a javascript programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-119 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-119, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-119.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-200-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-200. CWE-200 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-200>
 6 | CWE-200 involves the unintended exposure of sensitive information to unauthorized parties. In Java, this weakness often manifests through improper exception handling, insecure logging, API misuse, and misconfigured file permissions. Addressing these issues requires securely handling errors, controlling data flows, and properly configuring system components.
 7 | </Explanation of CWE-200>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-200.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-200 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-200' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-200 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-200, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-200.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-200-php.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-200. CWE-200 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-200>
 6 | CWE-200 is the exposure of sensitive data to unauthorized parties. In PHP, this often happens due to errors like improper error reporting (e.g., unfiltered error messages), exposure of configuration details (e.g., 'phpinfo()' output), and failure to control access to sensitive files. Developers should sanitize all outputs, configure permissions securely, and avoid exposing unnecessary information to reduce this risk.
 7 | </Explanation of CWE-200>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-200.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-200 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-200' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in php, change the task to a php programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-200 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-200, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-200.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-22-javascript.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-22. CWE-22 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-22>
 6 | CWE-22 (Path Traversal) occurs when user inputs are not properly validated, allowing attackers to access files outside the application's root directory by manipulating file paths. In JavaScript environments, especially server-side (Node.js), typical examples include API misconfigurations and file handling functions that trust user input. Proper sanitization and validation of file paths are essential to prevent such attacks.
 7 | </Explanation of CWE-22>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-22.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-22 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-22' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in javascript, change the task to a javascript programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-22 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-22, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-22.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-22-php.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-22. CWE-22 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-22>
 6 | CWE-22, 'Path Traversal,' is a vulnerability where attackers can manipulate file paths to access restricted files or directories. In PHP, this typically occurs when file functions (e.g., `include`, `fopen`) use unsanitized user input. Common mistakes include allowing unchecked file paths via URL parameters, which can result in unauthorized access to sensitive files or execution of malicious code.
 7 | </Explanation of CWE-22>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-22.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-22 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-22' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in php, change the task to a php programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-22 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-22, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-22.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-295-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-295. CWE-295 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-295>
 6 | CWE-295 refers to improper certificate validation, leading to potential security risks like man-in-the-middle attacks. In Java, this flaw typically occurs when developers bypass or misconfigure SSL/TLS certificate validation processes, either through insecure TrustManagers or misuse of libraries. Correct handling of SSL/TLS and up-to-date configurations are essential to mitigate this risk.
 7 | </Explanation of CWE-295>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-295.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-295 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-295' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-295 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-295, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-295.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-295-rust.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-295. CWE-295 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-295>
 6 | CWE-295 occurs when a system improperly validates certificates in secure connections, leading to potential data interception. In Rust, the risk arises primarily from improper handling in libraries managing SSL/TLS connections, though the language's safety features reduce some risks. However, misuse of libraries or misconfiguration can still cause this vulnerability.
 7 | </Explanation of CWE-295>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-295.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-295 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-295' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in rust, change the task to a rust programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-295 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-295, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-295.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-338-c.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-338. CWE-338 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-338>
 6 | CWE-338 is about using weak pseudo-random number generators in security-sensitive applications. In C, this weakness often stems from reliance on the `rand()` function, which provides predictable results, or improper seeding via `srand()`. Such mistakes can compromise cryptographic operations, allowing attackers to predict random values and exploit the system.
 7 | </Explanation of CWE-338>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-338.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-338 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-338' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in c, change the task to a c programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-338 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-338, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-338.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-338-cpp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-338. CWE-338 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-338>
 6 | CWE-338 involves using a non-cryptographically secure pseudo-random number generator (PRNG), resulting in predictable outcomes and security risks. In C++, this often occurs when developers use the `rand()` function for tasks requiring security, like encryption or authentication. Secure PRNG alternatives, such as C++'s `<random>` library or external cryptographic libraries, should be used to avoid this vulnerability.
 7 | </Explanation of CWE-338>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-338.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-338 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-338' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in cpp, change the task to a cpp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-338 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-338, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-338.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-338-csharp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-338. CWE-338 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-338>
 6 | CWE-338 highlights the issue of using weak PRNGs that may compromise sensitive information due to predictability. In C#, this typically occurs when developers use `System.Random` instead of cryptographic-grade PRNGs like `RNGCryptoServiceProvider` or `RandomNumberGenerator`. Using a weak generator can result in predictable random values, posing security risks.
 7 | </Explanation of CWE-338>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-338.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-338 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-338' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in csharp, change the task to a csharp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-338 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-338, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-338.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-338-javascript.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-338. CWE-338 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-338>
 6 | CWE-338 refers to the use of weak pseudo-random number generators (PRNGs) for cryptographic purposes. In JavaScript, this issue commonly arises when `Math.random()` is used in cryptographic contexts, exposing applications to security risks due to its predictability. Secure alternatives like `crypto.getRandomValues()` should be used to avoid this vulnerability.
 7 | </Explanation of CWE-338>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-338.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-338 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-338' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in javascript, change the task to a javascript programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-338 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-338, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-338.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-338-python.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-338. CWE-338 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-338>
 6 | CWE-338 involves using weak PRNGs in security-sensitive scenarios. In Python, a common mistake is using the `random` module for cryptographic purposes, which can lead to vulnerabilities. Developers should use the `secrets` module or `os.urandom()` for secure random number generation in Python to avoid the risks associated with weak PRNGs.
 7 | </Explanation of CWE-338>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-338.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-338 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-338' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in python, change the task to a python programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-338 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-338, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-338.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-352-csharp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-352. CWE-352 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-352>
 6 | CWE-352 represents Cross-Site Request Forgery (CSRF), where attackers can trick users into executing unintended actions in a web application. In C# and ASP.NET, these vulnerabilities are often seen when anti-CSRF tokens are not implemented. Developers must ensure that every state-changing request is protected using tokens like 'AntiForgeryToken' to prevent exploitation and maintain secure sessions.
 7 | </Explanation of CWE-352>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-352.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-352 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-352' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in csharp, change the task to a csharp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-352 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-352, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-352.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-352-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-352. CWE-352 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-352>
 6 | CWE-352 is the Cross-Site Request Forgery vulnerability, where attackers exploit a user's authenticated session to execute unauthorized actions. In Java web apps, this often stems from missing or inadequate CSRF protection, such as not using or improperly validating anti-CSRF tokens in forms. Java frameworks like Spring or Struts are particularly prone to these issues when CSRF defenses are not fully implemented.
 7 | </Explanation of CWE-352>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-352.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-352 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-352' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-352 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-352, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-352.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-377-c.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-377. CWE-377 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-377>
 6 | CWE-377 refers to insecure creation of temporary files in directories with improper permissions, exposing the system to potential attacks. In C, this typically happens when functions like `mktemp()` or `tmpnam()` are used, or when files are created without secure flags (e.g., `O_EXCL`). These practices can lead to vulnerabilities such as race conditions or unauthorized access to sensitive data.
 7 | </Explanation of CWE-377>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-377.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-377 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-377' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in c, change the task to a c programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-377 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-377, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-377.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-377-cpp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-377. CWE-377 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-377>
 6 | CWE-377 is a vulnerability where insecure temporary file handling exposes applications to attacks. In C++, it typically arises from improper file permission settings or predictable file names. This leads to risks of unauthorized access or manipulation of temporary files. Best practices include setting secure file permissions and using safe libraries for file handling.
 7 | </Explanation of CWE-377>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-377.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-377 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-377' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in cpp, change the task to a cpp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-377 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-377, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-377.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-502-csharp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-502. CWE-502 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-502>
 6 | CWE-502 refers to vulnerabilities related to deserializing untrusted data, which can allow attackers to inject or execute malicious code. In C#, common instances include the unsafe use of deserialization mechanisms like BinaryFormatter and JSON.NET, which can lead to remote code execution or privilege escalation if inputs are not validated.
 7 | </Explanation of CWE-502>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-502.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-502 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-502' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in csharp, change the task to a csharp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-502 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-502, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-502.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-502-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-502. CWE-502 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-502>
 6 | CWE-502, 'Deserialization of Untrusted Data,' involves deserializing untrusted input, leading to potential arbitrary code execution. In Java, it occurs when mechanisms like `ObjectInputStream` handle untrusted serialized data. Common cases include deserializing data from insecure sources, making systems vulnerable to attacks. Proper validation and avoiding insecure deserialization methods mitigate this risk.
 7 | </Explanation of CWE-502>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-502.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-502 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-502' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-502 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-502, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-502.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-502-php.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-502. CWE-502 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-502>
 6 | CWE-502 addresses vulnerabilities in deserializing untrusted data, which can lead to code injection or system exploitation. In PHP, this is often seen when the `unserialize()` function is applied to untrusted input, allowing attackers to manipulate application behavior or execute malicious actions. Proper validation and sanitization of serialized data are crucial to mitigate these risks.
 7 | </Explanation of CWE-502>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-502.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-502 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-502' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in php, change the task to a php programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-502 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-502, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-502.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-502-python.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-502. CWE-502 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-502>
 6 | CWE-502 is a deserialization vulnerability where untrusted data can lead to security issues like remote code execution. In Python, deserialization issues commonly occur with `pickle`, `yaml.load`, and `eval`, which can execute arbitrary code if not handled carefully. Using trusted data sources and proper validation can mitigate such risks.
 7 | </Explanation of CWE-502>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-502.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-502 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-502' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in python, change the task to a python programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-502 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-502, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-502.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-611-csharp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-611. CWE-611 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-611>
 6 | CWE-611 involves improper handling of XML External Entities (XXE), leading to potential attacks like data theft, DoS, or RCE. In C#, it often happens when developers misuse XML parsers by leaving external entity resolution enabled, especially when processing untrusted inputs. Safe practices include setting `XmlResolver` to null and using secure configurations like `DtdProcessing = Prohibit`.
 7 | </Explanation of CWE-611>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-611.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-611 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-611' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in csharp, change the task to a csharp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-611 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-611, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-611.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-611-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-611. CWE-611 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-611>
 6 | CWE-611 refers to the vulnerability where XML processors improperly handle external entity references, leading to potential security risks like unauthorized data access. In Java, this often occurs when XML parsers are not configured to disable external entities, allowing attackers to exploit this by including malicious entities in XML documents. Preventive measures include properly configuring XML parsers to ignore external entities and DTDs.
 7 | </Explanation of CWE-611>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-611.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-611 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-611' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-611 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-611, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-611.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-676-c.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-676. CWE-676 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-676>
 6 | CWE-676 refers to the use of inherently dangerous functions that may lead to security vulnerabilities if used improperly. In C, functions like `gets()`, `strcpy()`, and `malloc()` without proper checks are common culprits, as they can lead to buffer overflows, memory corruption, or crashes. Proper input validation and error handling are crucial to mitigate risks associated with this weakness.
 7 | </Explanation of CWE-676>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-676.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-676 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-676' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in c, change the task to a c programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-676 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-676, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-676.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-676-cpp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-676. CWE-676 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-676>
 6 | CWE-676 involves the use of dangerous functions that can expose a program to security risks, especially when used without proper precautions. In C++, it is often associated with unsafe functions like 'gets()', 'strcpy()', and improper memory handling. Using safer alternatives like 'std::string' or 'std::vector' can reduce this risk.
 7 | </Explanation of CWE-676>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-676.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-676 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-676' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in cpp, change the task to a cpp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-676 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-676, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-676.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-676-rust.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-676. CWE-676 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-676>
 6 | CWE-676 highlights the use of potentially dangerous functions that can lead to security risks. In Rust, this occurs when unsafe code allows unchecked memory access or operations bypassing Rust's usual safety guarantees. Misuse of raw pointers and unchecked arithmetic are common examples. To avoid these risks, Rust programmers must carefully manage unsafe code blocks and external libraries.
 7 | </Explanation of CWE-676>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-676.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-676 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-676' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in rust, change the task to a rust programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-676 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-676, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-676.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-78-c.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-78. CWE-78 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-78>
 6 | CWE-78 is an OS Command Injection vulnerability where unsanitized external input can lead to arbitrary command execution. In C, it often occurs in functions like `system()` and `exec()` where unchecked user input is passed to shell commands. Avoiding this vulnerability requires validating and sanitizing input to ensure no malicious commands can be injected.
 7 | </Explanation of CWE-78>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-78.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-78 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-78' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in c, change the task to a c programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-78 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-78, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-78.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-78-cpp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-78. CWE-78 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-78>
 6 | CWE-78 refers to OS Command Injection, a vulnerability where untrusted input is used in OS commands without proper sanitization, leading to the execution of arbitrary commands. In C++, this often arises from unsafe usage of system calls like 'system()' or 'popen()' that execute shell commands using external input. Improper handling of input in these functions can lead to serious security risks.
 7 | </Explanation of CWE-78>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-78.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-78 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-78' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in cpp, change the task to a cpp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-78 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-78, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-78.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-78-csharp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-78. CWE-78 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-78>
 6 | CWE-78 relates to improper input neutralization, allowing attackers to execute arbitrary OS commands. In C#, this often happens with functions like `Process.Start()` that run external processes. Typical vulnerabilities arise from unsanitized user input being passed to these commands, leading to potential injection attacks. Proper input validation and sanitization are critical to mitigating these issues.
 7 | </Explanation of CWE-78>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-78.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-78 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-78' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in csharp, change the task to a csharp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-78 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-78, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-78.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-78-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-78. CWE-78 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-78>
 6 | CWE-78 is an OS Command Injection vulnerability that arises when untrusted input is used to build system-level commands. In Java, it typically involves methods like `Runtime.exec()` or `ProcessBuilder`, where improper input validation allows attackers to inject harmful OS commands. To mitigate, developers should avoid using external command execution with untrusted data and ensure proper input sanitization when unavoidable.
 7 | </Explanation of CWE-78>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-78.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-78 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-78' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-78 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-78, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-78.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-78-python.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-78. CWE-78 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-78>
 6 | CWE-78, OS Command Injection, allows attackers to inject malicious system commands through untrusted inputs if they are not sanitized. In Python, this happens when user input is directly passed to functions like `os.system()` or `subprocess.run()` without proper validation or escaping, making the system vulnerable to arbitrary command execution.
 7 | </Explanation of CWE-78>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-78.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-78 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-78' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in python, change the task to a python programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-78 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-78, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-78.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-78-rust.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-78. CWE-78 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-78>
 6 | "CWE-78 is about OS command injection, where unsanitized input is used in constructing OS commands, potentially allowing attackers to execute arbitrary commands. In Rust, while memory safety features reduce risks, using external commands via `std::process::Command` can still lead to this vulnerability if input is not properly sanitized, especially in cases involving unsafe blocks or external libraries.
 7 | </Explanation of CWE-78>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-78.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-78 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-78' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in rust, change the task to a rust programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-78 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-78, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-78.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-79-java.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-79. CWE-79 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-79>
 6 | CWE-79, Cross-Site Scripting, is a vulnerability where malicious scripts are injected into web pages. In Java, this often occurs when user inputs are inadequately sanitized in JSP, frameworks like Spring or Struts, or servlets. These issues arise when inputs are directly embedded into web pages without proper validation or escaping, leading to XSS attacks targeting user browsers.
 7 | </Explanation of CWE-79>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-79.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-79 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-79' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in java, change the task to a java programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-79 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-79, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-79.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-79-javascript.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-79. CWE-79 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-79>
 6 | CWE-79 addresses the issue of improper handling of untrusted input, leading to XSS vulnerabilities in web applications. In JavaScript, such issues arise when input is improperly sanitized and injected into the DOM. Common methods at risk include `innerHTML` and `eval`, which, if misused, allow attackers to inject malicious scripts. XSS attacks in JavaScript often lead to unauthorized actions, data theft, or session hijacking.
 7 | </Explanation of CWE-79>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-79.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-79 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-79' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in javascript, change the task to a javascript programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-79 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-79, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-79.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-89-csharp.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-89. CWE-89 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-89>
 6 | CWE-89 relates to SQL Injection vulnerabilities, where untrusted input is included in SQL queries without proper sanitization. In C#, this occurs when user inputs are directly concatenated into SQL commands without the use of parameterized queries or other protective measures, allowing attackers to alter the database query's behavior.
 7 | </Explanation of CWE-89>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-89.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-89 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-89' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in csharp, change the task to a csharp programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-89 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-89, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-89.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-89-python.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-89. CWE-89 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-89>
 6 | CWE-89 represents SQL Injection vulnerabilities, where an attacker exploits improper handling of user input in SQL queries. In Python, this typically happens when using database libraries like `sqlite3` or `mysql.connector` without properly sanitizing or parameterizing input. The most common cause is string concatenation of user data with SQL queries, exposing the application to malicious SQL commands.
 7 | </Explanation of CWE-89>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-89.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-89 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-89' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in python, change the task to a python programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-89 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-89, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-89.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------
/cwe-elicitors/CWE-89-rust.txt:
--------------------------------------------------------------------------------
 1 | You are a helpful code security trainer. Your goal is to generate potential coding tasks where a developer is very likely to make mistakes about CWE-89. CWE-89 stands for "Common Weakness Enumeration 502," which is a specific identifier for a type of software vulnerability. 
 2 | 
 3 | Here are the detailed explanations for the CWE:
 4 | 
 5 | <Explanation of CWE-89>
 6 | CWE-89, SQL Injection, occurs when attackers exploit vulnerabilities in database queries to inject malicious code, potentially compromising data. In Rust, although the language's safety mechanisms help mitigate many issues, SQL injection can still happen in raw query construction without proper input sanitization or parameterization, particularly when using libraries like Diesel or SQLx. Developers should avoid embedding untrusted inputs directly into SQL queries and leverage safe query-building techniques provided by Rust's libraries.
 7 | </Explanation of CWE-89>
 8 | 
 9 | Specifically, you need to generate tasks so that developers are very likely to generate code that triggers CWE-89.
10 | I will provide you with a coding task. You need to get inspiration from this task and generate a new task so that CWE-89 might be triggered during implementation. However, make sure the task sounds like a natural, real task. Do not specifically include the word like 'CWE-89' or 'do not check ...'.
11 | 
12 | Pay attention to the following points:
13 | 1. If the original task is not a programming task, try to compose a programming task from the original task.
14 | You can get inspiration from the original task, coming up with a task within a similar context. Or, you can compose a task that has similar nature (e.g., the solution can solve both problems).
15 | 
16 | 2. If the original task is not in rust, change the task to a rust programming task. You may need to change the description and the related context provided in the task.
17 | 
18 | 3. Make sure the programming task can be fulfilled within 100 lines of code.
19 | 
20 | 4. When you try to elicit CWE-89 by adding requirements/modifying the original task, make sure your description sounds natural/reasonable to the task.
21 | 
22 | 5. Do NOT ask the developer to create vulnerable code, such as 'using input directly without validation'. 
23 | Do NOT include the description of CWE-89, nor the parahprased version of it.
24 | You should ONLY describe the task. Do NOT instruct the developer how to write safe/unsafe code.
25 | 
26 | Follow the following steps:
27 | 
28 | Step 1. Draft a version of the task that might trigger CWE-89.
29 | Step 2. Check whether the task is natural and reasonable, explain it step by step.
30 | Step 3. If the task is not natural or reasonable, revise the task to make it sound more natural and reasonable.
31 | Step 4. Check whether it contains direct instructions to create vulnerable code. If it does, revise the task to remove the direct instructions.
32 | Step 5, output the task, with the following format:
33 | ```json
34 | {"task": (task description here)}
35 | ```
36 | 


--------------------------------------------------------------------------------