{"id":13422582,"url":"https://github.com/YulinSec/ChatGPTScanner","last_synced_at":"2025-03-15T12:30:45.817Z","repository":{"id":151448520,"uuid":"616603995","full_name":"YulinSec/ChatGPTScanner","owner":"YulinSec","description":"A white box code scan powered by ChatGPT","archived":false,"fork":false,"pushed_at":"2023-04-17T08:10:50.000Z","size":307,"stargazers_count":233,"open_issues_count":0,"forks_count":43,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-27T23:58:43.624Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/YulinSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2023-03-20T18:00:21.000Z","updated_at":"2024-10-12T09:17:13.000Z","dependencies_parsed_at":"2023-05-23T14:45:08.619Z","dependency_job_id":null,"html_url":"https://github.com/YulinSec/ChatGPTScanner","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YulinSec%2FChatGPTScanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YulinSec%2FChatGPTScanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YulinSec%2FChatGPTScanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/YulinSec%2FChatGPTScanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/YulinSec","download_url":"https://codeload.github.com/YulinSec/ChatGPTScanner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243730976,"owners_count":20338747,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T23:00:48.221Z","updated_at":"2025-03-15T12:30:45.254Z","avatar_url":"https://github.com/YulinSec.png","language":"Go","readme":"# ChatGPTScan\nA white box code scan powered by ChatGPT\n\n\u003e ChatGPTScanner 的网页版本已经开源：https://github.com/YulinSec/ChatGPTScan-SAST\n\n- [ChatGPTScan](#chatgptscan)\n  - [🔮 Preview](#-preview)\n    - [1. common vulnerabilities scan](#1-common-vulnerabilities-scan)\n    - [2. taint sink scan](#2-taint-sink-scan)\n  - [🚀 Install](#-install)\n  - [🔧 Usage](#-usage)\n\nSupports:\n- common vulnerabilities scan\n- taint sink scan\n\n## 🔮 Preview\nContent below in **preiew** are generated by ChatGPTScan with command\n```\npython chatgptscan.py common_scan --project ./benchmark/go-sec-code --language \"['go']\"  --include \"['controllers/cmdi.go','utils']\"   --proxy http://127.0.0.1:7890\n```\nand\n```\npython chatgptscan.py taint_sink_scan --sink \"exec.Command\"  --project ./benchmark/go-sec-code --language \"['go']\"  --include \"['controllers/cmdi.go','utils']\"   --proxy http://127.0.0.1:7890\n```\nScan on [go-sec-code](https://github.com/cokeBeer/go-sec-code)\n### 1. common vulnerabilities scan\n\nFile: utils/securityUtils.go:\n- No vulnerabilities found.\n \nFile: utils/gogs.go:\n- No vulnerabilities found.\n \nFile: controllers/cmdi.go:\n- CommandInjectVuln1Controller.Get():\n  - Vulnerability: High\n  - The `dir` parameter is passed directly into a system command without proper input validation, which allows an attacker to inject malicious code and execute arbitrary commands on the targeted system.\n \n- CommandInjectVuln2Controller.Get():\n  - Vulnerability: High\n  - The `host` parameter is passed directly into a system command without proper input validation, which allows an attacker to inject malicious code and execute arbitrary commands on the targeted system.\n \n- CommandInjectVuln3Controller.Get():\n  - Vulnerability: High\n  - The `repoUrl` parameter is passed directly into a system command without proper input validation, which allows an attacker to inject malicious code and execute arbitrary commands on the targeted system using the `${touch /tmp/pwnned}` command injection payload.\n \n- CommandInjectSafe1Controller.Get():\n  - Vulnerability: Medium\n  - The `dir` parameter is only checked against a whitelist but not properly sanitized, which can still allow an attacker to perform command injection if they are able to bypass or workaround the filter.\n\n### 2. taint sink scan\n\nYes, there are function call chains in the code where remote input in request can become input or parameter of `exec.Command`. Here is the function call chain where a remote `dir` value in the request can become input or parameter of `exec.Command` in the `CommandInjectVuln1Controller` controller:\n\n```\nc.GetString(\"dir\")\nfmt.Sprintf(\"ls %s\", dir)\nexec.Command(\"bash\", \"-c\", input)\ncmd.CombinedOutput()\n```\n\nHere is the function call chain where a remote `host` value in the request can become input or parameter of `exec.Command` in the `CommandInjectVuln2Controller` controller:\n\n```\nc.Ctx.Request.Host\nfmt.Sprintf(\"curl %s\", host)\nexec.Command(\"bash\", \"-c\", input)\ncmd.CombinedOutput()\n```\n\nAnd here is the function call chain where a remote `repoUrl` value in the request can become input or parameter of `exec.Command` in the `CommandInjectVuln3Controller` controller:\n\n```\nc.GetString(\"repoUrl\", \"--upload-pack=${touch /tmp/pwnned}\")\nexec.Command(\"git\", \"ls-remote\", repoUrl, \"refs/heads/main\")\ncmd.CombinedOutput()\n```\n\n## 🚀 Install\n\npython 3.8 or above\n\n```\ngit clone https://github.com/YulinSec/ChatGPTScanner\ncd ChatGPTScanner\npip install -r requirements.txt\n```\n## 🔧 Usage\n```\n$ python chatgptscan.py --help\n\nNAME\n    chatgptscan.py - ChatGPTScan help summary page\n\nSYNOPSIS\n    chatgptscan.py - COMMAND | \u003cflags\u003e\n\nDESCRIPTION\n    A white box code scan powered by ChatGPT\n\n    Example:\n\n        python chatgptscan.py common_scan --project ./benchmark --language \"['python']\" --include \"['directory']\" --proxy http://127.0.0.1:7890\n\n        python chatgptscan.py common_scan --project ./go-sec-code --language \"['go']\" --include \"['controllers/cmdi.go','utils']\"  --proxy http://127.0.0.1:8080\n\n        python chatgptscan.py taint_sink_scan --project ./benchmark --language \"['python']\" --sink \"os.system()\"  --exclude \"['directory/exclude.go']\"\n\n    Note:\n        --project       path to target project\n        --language      languages of the project, decide which file extension will be loaded\n        --include       files send to ChatGPT, relative directory or relative filepath, match by prefix \n        --exclude       files not send to ChatGPT, relative directory or relative filepath, match by prefix \n        --sink          decrible your sink, only works in taint_sink_scan\n        --key           openai api key, also get from environment variable OPENAI_API_KEY\n        --proxy         openai api proxy\n        --dry           dry run, not send files to ChatGPT\n```\n\nnote: you should set your OPENAI_API_KEY first!","funding_links":[],"categories":["Uncategorized","Go","资源列表","Tools","代码审计"],"sub_categories":["Uncategorized","项目","Audit"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FYulinSec%2FChatGPTScanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FYulinSec%2FChatGPTScanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FYulinSec%2FChatGPTScanner/lists"}