mirror of https://github.com/FuzzingLabs/fuzzforge_ai.git synced 2026-02-12 22:32:45 +00:00

Files

tduhamel42 40d48a8045 feat: Complete Temporal migration cleanup and fixes

- Remove obsolete docker_logs.py module and container diagnostics from SDK
- Fix security_assessment workflow metadata (vertical: rust -> python)
- Remove all Prefect references from documentation
- Add SDK exception handling test suite
- Clean up old test artifacts

2025-10-14 15:02:52 +02:00

.github/workflows

Initial commit

2025-09-29 21:26:41 +02:00

config

Initial commit

2025-09-29 21:26:41 +02:00

scripts

Initial commit

2025-09-29 21:26:41 +02:00

src

Initial commit

2025-09-29 21:26:41 +02:00

app.py

CI/CD Integration with Ephemeral Deployment Model (#14 )

2025-10-14 10:13:45 +02:00

README.md

Initial commit

2025-09-29 21:26:41 +02:00

requirements.txt

Initial commit

2025-09-29 21:26:41 +02:00

README.md

Vulnerable Test Application

This is a TEST PROJECT designed to trigger security findings in the FuzzForge security assessment workflow.

⚠️ WARNING: This application contains intentional security vulnerabilities for testing purposes only. DO NOT use any of this code in production!

Vulnerabilities Included

Hardcoded Secrets

Database passwords
API keys (AWS, Stripe, GitHub, etc.)
JWT secrets
Private keys (RSA, Bitcoin, Ethereum)
OAuth tokens

Code Injection

eval() usage in multiple languages
exec() and system() calls
Dynamic function creation
Template injection

SQL Injection

String concatenation in queries
String formatting in SQL
Dynamic query building
Parameterless queries

Command Injection

Unsanitized user input in system commands
Shell execution with user data
Subprocess calls with shell=True

Path Traversal

Unvalidated file paths
Directory traversal patterns
Insecure file operations

Other Vulnerabilities

XSS vulnerabilities
Insecure deserialization
Weak cryptography (MD5, weak random)
CORS misconfigurations
Debug mode enabled

Files Overview

src/ - Source code with various vulnerabilities
- database.py - Python with SQL injection and hardcoded secrets
- api_handler.py - Python with eval and command injection
- utils.rb - Ruby vulnerabilities
- Main.java - Java security issues
- app.go - Go vulnerabilities
scripts/ - Script files
- deploy.php - PHP vulnerabilities
- backup.js - JavaScript security issues
config/ - Configuration files
- settings.py - Hardcoded credentials
- database.yaml - Database passwords
.env - Environment file with secrets
private_key.pem - Private key file
wallet.json - Cryptocurrency wallets
.github/workflows/ - CI/CD with hardcoded secrets

Expected Findings

When running the security assessment workflow, you should see:

Multiple hardcoded secrets detected
SQL injection vulnerabilities
Command injection risks
Dangerous function usage
Sensitive file discoveries

Testing

To test with FuzzForge:

curl -X POST "http://localhost:8000/workflows/security_assessment/submit" \
  -H "Content-Type: application/json" \
  -d '{
    "target_path": "/path/to/test_projects/vulnerable_app",
    "volume_mode": "ro",
    "parameters": {
      "scanner_config": {"check_sensitive": true},
      "analyzer_config": {"check_secrets": true, "check_sql": true}
    }
  }'

Note

This is purely for testing security scanning capabilities. All credentials and keys are fake/example values.