CalvinBackup/god-eye
1
0
Fork 0
mirror of https://github.com/Vyntral/god-eye.git synced 2026-05-17 22:04:46 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
god-eye/internal/modules/security/security.go
T
Vyntral 3a4c230aa7 feat: v2.0 full rewrite — event-driven pipeline, AI + Nuclei + proxy 
Complete architectural overhaul. Replaces the v0.1 monolithic scanner
with an event-driven pipeline of auto-registered modules.

Foundation (internal/):
- eventbus: typed pub/sub, 20 event types, race-safe, drop counter
- module: registry with phase-based selection
- store: thread-safe host store with per-host locks + deep-copy reads
- pipeline: coordinator with phase barriers + panic recovery
- config: 5 scan profiles + 3 AI tiers + YAML loader + auto-discovery

Modules (26 auto-registered across 6 phases):
- Discovery: passive (26 sources), bruteforce, recursive, AXFR, GitHub
  dorks, CT streaming, permutation, reverse DNS, vhost, ASN, supply
  chain (npm + PyPI)
- Enrichment: HTTP probe + tech fingerprint + TLS appliance ID, ports
- Analysis: security checks, takeover (110+ sigs), cloud, JavaScript,
  GraphQL, JWT, headers (OWASP), HTTP smuggling, AI cascade, Nuclei
- Reporting: TXT/JSON/CSV writer + AI scan brief

AI layer (internal/ai/ + internal/modules/ai/):
- Three profiles: lean (16 GB), balanced (32 GB MoE), heavy (64 GB)
- Six event-driven handlers: CVE, JS file, HTTP response, secret
  filter, multi-agent vuln enrichment, anomaly + executive report
- Content-hash cache dedups Ollama calls across hosts
- Auto-pull of missing models via /api/pull with streaming progress
- End-of-scan AI SCAN BRIEF in terminal with top chains + next actions

Nuclei compat layer (internal/nucleitpl/):
- Executes ~13k community templates (HTTP subset)
- Auto-download of nuclei-templates ZIP to ~/.god-eye/nuclei-templates
- Scope filter rejects off-host templates (eliminates OSINT FPs)

Operations:
- Interactive wizard (internal/wizard/) — zero-flag launch
- LivePrinter (internal/tui/) — colorized event stream
- Diff engine + scheduler (internal/diff, internal/scheduler) for
  continuous ASM monitoring with webhook alerts
- Proxy support (internal/proxyconf/): http / https / socks5 / socks5h
  + basic auth

Fixes #1 — native SOCKS5 / Tor compatibility via --proxy flag.

185 unit tests across 15 packages, all race-detector clean.
2026-04-18 16:48:41 +02:00

242 lines
7.6 KiB
Go
Raw Permalink Blame History

// Package security runs the v1 security checks (open redirect, CORS,
// HTTP methods, git/svn, backups, admin, API) on every probed host.
//
// Reads hosts from the store (not events) so late-start phases don't miss
// the upstream HTTPProbed events.
package security
import (
"context"
"sync"
"time"
"god-eye/internal/eventbus"
gohttp "god-eye/internal/http"
"god-eye/internal/module"
"god-eye/internal/security"
"god-eye/internal/store"
)
const ModuleName = "security.checks"
type secModule struct{}
func Register() { module.Register(&secModule{}) }
func (*secModule) Name() string { return ModuleName }
func (*secModule) Phase() module.Phase { return module.PhaseAnalysis }
func (*secModule) Consumes() []eventbus.EventType { return []eventbus.EventType{eventbus.EventHTTPProbed} }
func (*secModule) Produces() []eventbus.EventType { return []eventbus.EventType{eventbus.EventVulnerability} }
func (*secModule) DefaultEnabled() bool { return true }
func (*secModule) Run(mctx module.Context) error {
conc := mctx.Config.Int("concurrency", 200)
if conc <= 0 {
conc = 200
}
timeout := mctx.Config.Int("timeout", 5)
processed := make(map[string]struct{})
var processedMu sync.Mutex
shouldProcess := func(host string) bool {
processedMu.Lock()
defer processedMu.Unlock()
if _, dup := processed[host]; dup {
return false
}
processed[host] = struct{}{}
return true
}
work := make(chan string, conc*2)
var wg sync.WaitGroup
for i := 0; i < conc; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for host := range work {
runChecks(mctx, host, timeout)
}
}()
}
// Drain: every host that got a successful HTTP probe.
for _, h := range mctx.Store.All(mctx.Ctx) {
if h == nil || h.StatusCode == 0 {
continue
}
if !shouldProcess(h.Subdomain) {
continue
}
select {
case work <- h.Subdomain:
case <-mctx.Ctx.Done():
close(work)
wg.Wait()
return nil
}
}
// Listen for late HTTPProbed events.
sub := mctx.Bus.Subscribe(eventbus.EventHTTPProbed, func(_ context.Context, e eventbus.Event) {
ev, ok := e.(eventbus.HTTPProbed)
if !ok || ev.StatusCode == 0 {
return
}
host := ev.Meta().Target
if !shouldProcess(host) {
return
}
select {
case work <- host:
case <-mctx.Ctx.Done():
}
})
defer sub.Unsubscribe()
select {
case <-time.After(500 * time.Millisecond):
case <-mctx.Ctx.Done():
}
close(work)
wg.Wait()
return nil
}
func runChecks(mctx module.Context, host string, timeout int) {
if mctx.Ctx.Err() != nil {
return
}
client := gohttp.GetSharedClient(timeout)
var openRedirect bool
var cors string
var allowed, dangerous []string
var admin, backups, apis []string
var gitExposed, svnExposed bool
var wg sync.WaitGroup
wg.Add(7)
go func() { defer wg.Done(); openRedirect = security.CheckOpenRedirectWithClient(host, client) }()
go func() { defer wg.Done(); cors = security.CheckCORSWithClient(host, client) }()
go func() { defer wg.Done(); allowed, dangerous = security.CheckHTTPMethodsWithClient(host, client) }()
go func() { defer wg.Done(); admin = security.CheckAdminPanelsWithClient(host, client) }()
go func() { defer wg.Done(); gitExposed, svnExposed = security.CheckGitSvnExposureWithClient(host, client) }()
go func() { defer wg.Done(); backups = security.CheckBackupFilesWithClient(host, client) }()
go func() { defer wg.Done(); apis = security.CheckAPIEndpointsWithClient(host, client) }()
wg.Wait()
_ = mctx.Store.Upsert(mctx.Ctx, host, func(h *store.Host) {
now := time.Now()
if openRedirect {
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
ID: "open-redirect", Title: "Open Redirect",
Description: "Server redirects to attacker-controlled URL via redirect parameter",
Severity: string(eventbus.SeverityMedium),
URL: "https://" + host,
OWASP: "A01:2021-Broken Access Control",
FoundAt: now,
})
}
if cors != "" {
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
ID: "cors-misconfig", Title: "CORS Misconfiguration",
Description: cors,
Severity: string(eventbus.SeverityHigh),
URL: "https://" + host,
OWASP: "A05:2021-Security Misconfiguration",
FoundAt: now,
})
}
if len(dangerous) > 0 {
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
ID: "dangerous-http-methods", Title: "Dangerous HTTP Methods Enabled",
Description: "Server allows potentially dangerous methods",
Severity: string(eventbus.SeverityMedium),
Evidence: joinStrings(dangerous, ", "),
URL: "https://" + host,
OWASP: "A05:2021-Security Misconfiguration",
FoundAt: now,
})
}
if gitExposed {
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
ID: "git-exposed", Title: "Git Repository Exposed",
Description: ".git directory is publicly accessible",
Severity: string(eventbus.SeverityCritical),
URL: "https://" + host + "/.git/config",
OWASP: "A05:2021-Security Misconfiguration",
FoundAt: now,
})
}
if svnExposed {
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
ID: "svn-exposed", Title: "SVN Repository Exposed",
Description: ".svn directory is publicly accessible",
Severity: string(eventbus.SeverityHigh),
URL: "https://" + host + "/.svn/entries",
OWASP: "A05:2021-Security Misconfiguration",
FoundAt: now,
})
}
for _, b := range backups {
h.Vulnerabilities = append(h.Vulnerabilities, store.Vulnerability{
ID: "backup-file", Title: "Backup File Exposed",
Description: "Backup file accessible: " + b,
Severity: string(eventbus.SeverityHigh),
URL: b,
OWASP: "A05:2021-Security Misconfiguration",
FoundAt: now,
})
}
_ = allowed
_ = admin
_ = apis
})
now := time.Now()
base := eventbus.EventMeta{At: now, Source: ModuleName, Target: host}
emit := func(ev eventbus.VulnerabilityFound) { mctx.Bus.Publish(mctx.Ctx, ev) }
if openRedirect {
emit(eventbus.VulnerabilityFound{EventMeta: base, ID: "open-redirect", Title: "Open Redirect",
Severity: eventbus.SeverityMedium, URL: "https://" + host, OWASP: "A01:2021-Broken Access Control"})
}
if cors != "" {
emit(eventbus.VulnerabilityFound{EventMeta: base, ID: "cors-misconfig", Title: "CORS Misconfiguration",
Description: cors, Severity: eventbus.SeverityHigh, URL: "https://" + host, OWASP: "A05:2021-Security Misconfiguration"})
}
if len(dangerous) > 0 {
emit(eventbus.VulnerabilityFound{EventMeta: base, ID: "dangerous-http-methods", Title: "Dangerous HTTP Methods",
Evidence: joinStrings(dangerous, ", "), Severity: eventbus.SeverityMedium, URL: "https://" + host,
OWASP: "A05:2021-Security Misconfiguration"})
}
if gitExposed {
emit(eventbus.VulnerabilityFound{EventMeta: base, ID: "git-exposed", Title: "Git Repository Exposed",
Severity: eventbus.SeverityCritical, URL: "https://" + host + "/.git/config",
OWASP: "A05:2021-Security Misconfiguration"})
}
if svnExposed {
emit(eventbus.VulnerabilityFound{EventMeta: base, ID: "svn-exposed", Title: "SVN Repository Exposed",
Severity: eventbus.SeverityHigh, URL: "https://" + host + "/.svn/entries",
OWASP: "A05:2021-Security Misconfiguration"})
}
for _, b := range backups {
emit(eventbus.VulnerabilityFound{EventMeta: base, ID: "backup-file", Title: "Backup File Exposed",
Severity: eventbus.SeverityHigh, URL: b, OWASP: "A05:2021-Security Misconfiguration"})
}
}
func joinStrings(ss []string, sep string) string {
if len(ss) == 0 {
return ""
}
out := ss[0]
for _, s := range ss[1:] {
out += sep + s
}
return out
}
Reference in New Issue View Git Blame Copy Permalink