https://github.com/YulinSec/ChatGPTScanner

A white box code scan powered by ChatGPT
https://github.com/YulinSec/ChatGPTScanner

Last synced: 23 days ago
JSON representation

A white box code scan powered by ChatGPT

• Host: GitHub
• URL: https://github.com/YulinSec/ChatGPTScanner
• Owner: YulinSec
• Created: 2023-03-20T18:00:21.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2023-04-17T08:10:50.000Z (about 1 year ago)
• Last Synced: 2024-02-24T02:33:34.253Z (4 months ago)
• Language: Go
• Size: 300 KB
• Stars: 198
• Watchers: 2
• Forks: 36
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Lists

• awesome-gpt-security - ChatGPTScanner - A white box code scan powered by ChatGPT (Tools / Audit)
• my-awesome - YulinSec/ChatGPTScanner - A white box code scan powered by ChatGPT (Go)
• awesome-ai-security - ChatGPTScanner

README

        
# ChatGPTScan

A white box code scan powered by ChatGPT

> ChatGPTScanner 的网页版本已经开源：https://github.com/YulinSec/ChatGPTScan-SAST

- [ChatGPTScan](#chatgptscan)

  - [🔮 Preview](#-preview)

    - [1. common vulnerabilities scan](#1-common-vulnerabilities-scan)

    - [2. taint sink scan](#2-taint-sink-scan)

  - [🚀 Install](#-install)

  - [🔧 Usage](#-usage)

Supports:

- common vulnerabilities scan

- taint sink scan

## 🔮 Preview

Content below in **preiew** are generated by ChatGPTScan with command

```

python chatgptscan.py common_scan --project ./benchmark/go-sec-code --language "['go']"  --include "['controllers/cmdi.go','utils']"   --proxy http://127.0.0.1:7890

```

and

```

python chatgptscan.py taint_sink_scan --sink "exec.Command"  --project ./benchmark/go-sec-code --language "['go']"  --include "['controllers/cmdi.go','utils']"   --proxy http://127.0.0.1:7890

```

Scan on [go-sec-code](https://github.com/cokeBeer/go-sec-code)

### 1. common vulnerabilities scan

File: utils/securityUtils.go:

- No vulnerabilities found.

 

File: utils/gogs.go:

- No vulnerabilities found.

 

File: controllers/cmdi.go:

- CommandInjectVuln1Controller.Get():

  - Vulnerability: High

  - The `dir` parameter is passed directly into a system command without proper input validation, which allows an attacker to inject malicious code and execute arbitrary commands on the targeted system.

 

- CommandInjectVuln2Controller.Get():

  - Vulnerability: High

  - The `host` parameter is passed directly into a system command without proper input validation, which allows an attacker to inject malicious code and execute arbitrary commands on the targeted system.

 

- CommandInjectVuln3Controller.Get():

  - Vulnerability: High

  - The `repoUrl` parameter is passed directly into a system command without proper input validation, which allows an attacker to inject malicious code and execute arbitrary commands on the targeted system using the `${touch /tmp/pwnned}` command injection payload.

 

- CommandInjectSafe1Controller.Get():

  - Vulnerability: Medium

  - The `dir` parameter is only checked against a whitelist but not properly sanitized, which can still allow an attacker to perform command injection if they are able to bypass or workaround the filter.

### 2. taint sink scan

Yes, there are function call chains in the code where remote input in request can become input or parameter of `exec.Command`. Here is the function call chain where a remote `dir` value in the request can become input or parameter of `exec.Command` in the `CommandInjectVuln1Controller` controller:

```

c.GetString("dir")

fmt.Sprintf("ls %s", dir)

exec.Command("bash", "-c", input)

cmd.CombinedOutput()

```

Here is the function call chain where a remote `host` value in the request can become input or parameter of `exec.Command` in the `CommandInjectVuln2Controller` controller:

```

c.Ctx.Request.Host

fmt.Sprintf("curl %s", host)

exec.Command("bash", "-c", input)

cmd.CombinedOutput()

```

And here is the function call chain where a remote `repoUrl` value in the request can become input or parameter of `exec.Command` in the `CommandInjectVuln3Controller` controller:

```

c.GetString("repoUrl", "--upload-pack=${touch /tmp/pwnned}")

exec.Command("git", "ls-remote", repoUrl, "refs/heads/main")

cmd.CombinedOutput()

```

## 🚀 Install

python 3.8 or above

```

git clone https://github.com/YulinSec/ChatGPTScanner

cd ChatGPTScanner

pip install -r requirements.txt

```

## 🔧 Usage

```

$ python chatgptscan.py --help

NAME

    chatgptscan.py - ChatGPTScan help summary page

SYNOPSIS

    chatgptscan.py - COMMAND | 

DESCRIPTION

    A white box code scan powered by ChatGPT

    Example:

        python chatgptscan.py common_scan --project ./benchmark --language "['python']" --include "['directory']" --proxy http://127.0.0.1:7890

        python chatgptscan.py common_scan --project ./go-sec-code --language "['go']" --include "['controllers/cmdi.go','utils']"  --proxy http://127.0.0.1:8080

        python chatgptscan.py taint_sink_scan --project ./benchmark --language "['python']" --sink "os.system()"  --exclude "['directory/exclude.go']"

    Note:

        --project       path to target project

        --language      languages of the project, decide which file extension will be loaded

        --include       files send to ChatGPT, relative directory or relative filepath, match by prefix 

        --exclude       files not send to ChatGPT, relative directory or relative filepath, match by prefix 

        --sink          decrible your sink, only works in taint_sink_scan

        --key           openai api key, also get from environment variable OPENAI_API_KEY

        --proxy         openai api proxy

        --dry           dry run, not send files to ChatGPT

```

note: you should set your OPENAI_API_KEY first!