from flask import Flask, request, jsonify
import pymysql

app = Flask(__name__)

# Class CustomKey simulates the backend casting of JSON keys into Objects
class CustomKey:
    def __init__(self, key_str):
        self.key_str = key_str
        
    def __str__(self):
        # VULNERABILITY HERE: returns the raw string; PyMySQL 1.1.0 will not escape it
        return self.key_str
    def __repr__(self):
        return self.key_str

def get_db():
    return pymysql.connect(
        host='db',
        user='root',
        password='rootpassword',
        database='iot_logs',
        cursorclass=pymysql.cursors.DictCursor
    )

@app.route('/search', methods=['POST'])
def search_log():
    try:
        data = request.json
        
        # Convert JSON input and cast all keys into CustomKey objects
        # This models common serialize/deserialize patterns in complex apps
        query_params = {}
        if isinstance(data, dict):
            for k, v in data.items():
                query_params[CustomKey(k)] = v
        
        conn = get_db()
        with conn.cursor() as cur:
            # Buggy query: query_params is a dict containing object keys
            sql = "SELECT * FROM logs WHERE device_signature = %s"
            cur.execute(sql, (query_params,))
            result = cur.fetchall()
            
        return jsonify({"status": "success", "data": result})
    except Exception as e:
        return jsonify({"status": "error", "message": str(e)})

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=9669)