MCPcopy Index your code
hub / github.com/Contrast-Security-OSS/go-test-bench

github.com/Contrast-Security-OSS/go-test-bench @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
834 symbols 1,895 edges 129 files 707 documented · 85%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Go Test Bench

CI Go Report Card GoDoc License: MIT

An intentionally vulnerable go app, now available in these refreshing flavors: * cmd/std uses Go's standard library, net/http. * cmd/gin uses github.com/gin-gonic/gin * cmd/chi uses github.com/go-chi/chi * cmd/go-swagger uses github.com/go-openapi. * cmd/julienschmidt uses github.com/julienschmidt/httprouter

The go-test-bench application includes vulnerabilities from the OWASP Top 10 and is intended to be used as an educational tool for developers and security professionals. PRs welcome!

For customer demonstrations click here to follow the Demo.md readme.

Installation Requirements

How to Run Locally

To run with the standard library,

    go build -o app ./cmd/std
    ./app

To run with gin instead, substitute gin for std in the build command, and likewise for chi, go-swagger, or julienschmidt.

The app can be viewed in your browser at http://localhost:8080

Note that the app loads resources from subdirs, so you will need to run from the dir this README.md is in.

How to Run Using Docker

    docker build -t image-name .
    docker run -p 8080:8080 image-name

To run with gin instead, pass in --build-args FRAMEWORK=gin in the build command, and likewise for chi, go-swagger, or julienschmidt.

View app at http://localhost:8080

Acknowledgements

The development team.

Experimenting with the code

organization

  • code for vulnerable functions is located in internal/
  • exception: vulnerable functions from a particular framework (see below)
  • framework-specific code is located under cmd/ and pkg/
  • html templates and css are under views/
  • vulnerability and route data is in go structs, located in the relevant package under internal/

quirks

Each framework is different. We've tried to separate framework logic from vulnerability logic so that adding a framework necessitates a minimum of changes to vulnerability logic, and vice versa.

swagger

Swagger is a bit unique, in that it has a lot of generated code and requires a swagger spec. To maintain a single source of truth, we generate the swagger spec from our route data. We also generate boilerplate tying a route handler to each swagger endpoint.

For details, see cmd/go-swagger/README.md

Extension points exported contracts — how you extend this code

Logger (Interface)
Logger contains selected methods of testing.TB [1 implementers]
internal/common/logger.go
PathTraversalGetBufferedQueryReadFileHandlerFunc (FuncType)
PathTraversalGetBufferedQueryReadFileHandlerFunc turns a function with the right signature into a path traversal get buf
cmd/go-swagger/restapi/operations/path_traversal/path_traversal_get_buffered_query_read_file.go
SanitizerFn (FuncType)
A SanitizerFn sanitizes the input string
internal/common/sink.go
PathTraversalGetBufferedQueryReadFileHandler (Interface)
PathTraversalGetBufferedQueryReadFileHandler interface for that can handle valid path traversal get buffered query read
cmd/go-swagger/restapi/operations/path_traversal/path_traversal_get_buffered_query_read_file.go
HandlerFn (FuncType)
HandlerFn is a framework-agnostic function to handle a vulnerable endpoint. `opaque` can be set to some framework-specif
internal/common/handler.go
PathTraversalGetBufferedQueryCreateHandlerFunc (FuncType)
PathTraversalGetBufferedQueryCreateHandlerFunc turns a function with the right signature into a path traversal get buffe
cmd/go-swagger/restapi/operations/path_traversal/path_traversal_get_buffered_query_create.go
VulnerableFnWrapper (FuncType)
VulnerableFnWrapper is a function wrapping something vulnerable. Used to adapt things for use with GenericHandler. 'raw'
internal/common/handler.go
PathTraversalGetBufferedQueryCreateHandler (Interface)
PathTraversalGetBufferedQueryCreateHandler interface for that can handle valid path traversal get buffered query create
cmd/go-swagger/restapi/operations/path_traversal/path_traversal_get_buffered_query_create.go

Core symbols most depended-on inside this repo

Fatalf
called by 28
internal/common/logger.go
Errorf
called by 22
internal/common/logger.go
RouteHandler
called by 19
pkg/serveswagger/setup.go
Query
called by 18
internal/injection/sqli/db.go
Logf
called by 16
internal/common/logger.go
LocateDir
called by 10
internal/common/routes.go
PopulateRouteMap
called by 10
internal/common/routes.go
String
called by 9
cmd/go-swagger/restapi/operations/xss/xss_front_urlbuilder.go

Shape

Method 463
Function 202
Struct 121
FuncType 23
Interface 21
TypeAlias 4

Languages

Go100%

Modules by API surface

cmd/go-swagger/restapi/operations/swagger_bench_api.go25 symbols
cmd/go-swagger/restapi/server.go20 symbols
internal/common/routes.go17 symbols
cmd/go-swagger/regen/regen.go15 symbols
internal/injection/sqli/db.go12 symbols
cmd/go-swagger/restapi/operations/swagger_server/root_responses.go12 symbols
internal/common/input_test.go10 symbols
cmd/go-swagger/restapi/operations/xss/xss_get_query_reflected_xss_responses.go10 symbols
cmd/go-swagger/restapi/operations/xss/xss_get_buffered_query_reflected_xss_responses.go10 symbols
cmd/go-swagger/restapi/operations/xss/xss_front_responses.go10 symbols
cmd/go-swagger/restapi/operations/ssrf/ssrf_get_query_http_responses.go10 symbols
cmd/go-swagger/restapi/operations/ssrf/ssrf_front_responses.go10 symbols

For agents

$ claude mcp add go-test-bench \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact