Metadata-Version: 2.4
Name: swe-ai-agent
Version: 1.0.44
Summary: SWE Agent - Headless Agentic IDE with comprehensive tool support
Home-page: https://github.com/harishsg993010/SWE-Agent
Author: Harish SG
Author-email: Harish SG <harishsg993010@gmail.com>
Project-URL: Homepage, https://github.com/harishsg993010/SWE-Agent
Project-URL: Documentation, https://github.com/harishsg993010/SWE-Agent#readme
Project-URL: Repository, https://github.com/harishsg993010/SWE-Agent
Project-URL: Issues, https://github.com/harishsg993010/SWE-Agent/issues
Keywords: ai,agent,ide,development,automation,langchain,claude
Classifier: Development Status :: 5 - Production/Stable
Classifier: Intended Audience :: Developers
Classifier: Topic :: Software Development :: Build Tools
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Operating System :: OS Independent
Requires-Python: >=3.9
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: anthropic>=0.57.1
Requires-Dist: langchain-anthropic>=0.3.17
Requires-Dist: langchain>=0.3.26
Requires-Dist: langchain-core>=0.3.68
Requires-Dist: langgraph>=0.5.3
Requires-Dist: rich>=14.0.0
Requires-Dist: click>=8.0.0
Requires-Dist: psutil>=5.8.0
Requires-Dist: python-dotenv>=1.0.0
Requires-Dist: typing-extensions>=4.0.0
Requires-Dist: pydantic>=2.0.0
Requires-Dist: requests>=2.28.0
Requires-Dist: aiohttp>=3.8.0
Requires-Dist: twine>=6.1.0
Requires-Dist: pygame>=2.6.1
Requires-Dist: setuptools>=80.9.0
Requires-Dist: detect-secrets>=1.5.0
Requires-Dist: langchain-mcp-adapters>=0.1.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0.0; extra == "dev"
Requires-Dist: pytest-asyncio>=0.21.0; extra == "dev"
Requires-Dist: black>=22.0.0; extra == "dev"
Requires-Dist: flake8>=4.0.0; extra == "dev"
Requires-Dist: mypy>=0.950; extra == "dev"
Dynamic: author
Dynamic: home-page
Dynamic: license-file
Dynamic: requires-python

# 🚨 Damn Vulnerable Go Application (DVGA)

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
[![Go Version](https://img.shields.io/badge/Go-1.21+-00ADD8.svg)](https://golang.org/)
[![Security](https://img.shields.io/badge/Security-VULNERABLE-red.svg)](https://github.com/OWASP/Top10)

⚠️ **CRITICAL WARNING**: This application contains **intentional security vulnerabilities** for educational purposes only. **NEVER** deploy this in production environments or expose it to the internet!

## 🎯 Purpose

The Damn Vulnerable Go Application (DVGA) is a deliberately insecure web application written in Go, designed for:

- 🎓 **Security Education**: Learn about common web application vulnerabilities
- 🔍 **Penetration Testing Practice**: Practice vulnerability assessment techniques
- 🛡️ **Secure Coding Training**: Understand what NOT to do in production code
- 🧪 **Security Tool Testing**: Test security scanners and analysis tools

## 🏗️ Architecture

```
DVGA/
├── vulnerable_app.go      # Main vulnerable application
├── go.mod                 # Go module dependencies
├── VULNERABILITIES.md     # Detailed vulnerability documentation
├── build.sh              # Build script
├── test_vulnerabilities.sh # Automated vulnerability testing
├── Dockerfile            # Container configuration
├── docker-compose.yml    # Multi-container setup
└── web/                  # Web testing interface
    └── index.html        # Interactive vulnerability testing page
```

## 🚀 Quick Start

### Method 1: Direct Execution

```bash
# Clone or download the files
# Install dependencies
go mod tidy

# Build the application
chmod +x build.sh
./build.sh

# Run the vulnerable application
./vulnerable_app
```

### Method 2: Using Docker

```bash
# Build and run with Docker Compose
docker-compose up --build

# Or build and run manually
docker build -t dvga .
docker run -p 8080:8080 dvga
```

### Method 3: Go Run

```bash
go mod tidy
go run vulnerable_app.go
```

## 🌐 Access Points

Once running, the application will be available at:

- **Main Application**: http://localhost:8080
- **Web Testing Interface**: http://localhost:8081 (if using Docker Compose)

## 🎯 Vulnerability Endpoints

| Endpoint | Vulnerability | Example |
|----------|---------------|---------|
| `/login` | SQL Injection | `?username=admin'--&password=anything` |
| `/file` | Path Traversal | `?file=../../../etc/passwd` |
| `/ping` | Command Injection | `?host=google.com;whoami` |
| `/search` | XSS | `?q=<script>alert('XSS')</script>` |
| `/delete` | CSRF | `?id=1` |
| `/debug` | Information Disclosure | Exposes sensitive data |
| `/upload` | Insecure File Upload | POST malicious files |
| `/counter` | Race Condition | Concurrent access issues |
| `/calculate` | Integer Overflow | `?a=999999999&b=999999999` |
| `/template` | Template Injection | `?template={{.}}` |
| `/deserialize` | Insecure Deserialization | `?data=exec:command` |

## 🧪 Testing Vulnerabilities

### Automated Testing

```bash
# Make the test script executable
chmod +x test_vulnerabilities.sh

# Run automated vulnerability tests
./test_vulnerabilities.sh
```

### Manual Testing

1. **SQL Injection**:
   ```bash
   curl "http://localhost:8080/login?username=admin'--&password=anything"
   ```

2. **Path Traversal**:
   ```bash
   curl "http://localhost:8080/file?file=../../../etc/passwd"
   ```

3. **Command Injection**:
   ```bash
   curl "http://localhost:8080/ping?host=127.0.0.1;whoami"
   ```

4. **XSS**:
   ```bash
   curl "http://localhost:8080/search?q=<script>alert('XSS')</script>"
   ```

### Interactive Testing

Open http://localhost:8081 in your browser for an interactive testing interface with pre-built exploit examples.

## 🔍 Vulnerability Categories

### OWASP Top 10 Coverage

- ✅ **A01:2021 – Broken Access Control**
- ✅ **A02:2021 – Cryptographic Failures**
- ✅ **A03:2021 – Injection**
- ✅ **A04:2021 – Insecure Design**
- ✅ **A05:2021 – Security Misconfiguration**
- ✅ **A06:2021 – Vulnerable and Outdated Components**
- ✅ **A07:2021 – Identification and Authentication Failures**
- ✅ **A08:2021 – Software and Data Integrity Failures**
- ✅ **A09:2021 – Security Logging and Monitoring Failures**
- ✅ **A10:2021 – Server-Side Request Forgery (SSRF)**

### Additional Vulnerabilities

- Race Conditions
- Integer Overflow
- Template Injection
- Insecure Deserialization
- Information Disclosure
- Weak Random Number Generation
- Hardcoded Credentials

## 📚 Educational Resources

### Documentation

- **[VULNERABILITIES.md](VULNERABILITIES.md)**: Comprehensive vulnerability documentation
- **Code Comments**: Inline explanations of vulnerable patterns
- **Test Scripts**: Practical exploitation examples

### Learning Path

1. **Read the Code**: Understand how vulnerabilities are introduced
2. **Run Tests**: Execute the provided test scripts
3. **Manual Exploitation**: Try crafting your own payloads
4. **Fix the Code**: Practice secure coding by fixing vulnerabilities
5. **Verify Fixes**: Test that your fixes actually work

## 🛡️ Security Considerations

### ⚠️ NEVER DO THIS IN PRODUCTION

This application demonstrates what **NOT** to do:

- ❌ Direct SQL query concatenation
- ❌ Unvalidated user input
- ❌ Weak cryptographic algorithms
- ❌ Hardcoded secrets
- ❌ Missing authentication
- ❌ Insecure session management
- ❌ Poor error handling
- ❌ Missing input validation
- ❌ Unsafe file operations
- ❌ Race conditions

### ✅ Secure Alternatives

For production applications, use:

- ✅ Parameterized queries/prepared statements
- ✅ Input validation and sanitization
- ✅ Strong cryptographic algorithms (bcrypt, Argon2)
- ✅ Environment-based configuration
- ✅ Proper authentication and authorization
- ✅ Secure session management
- ✅ Comprehensive error handling
- ✅ Content Security Policy (CSP)
- ✅ HTTPS/TLS encryption
- ✅ Thread-safe programming

## 🔧 Development

### Prerequisites

- Go 1.21 or higher
- SQLite3 (for database functionality)
- Docker (optional, for containerized deployment)

### Building from Source

```bash
# Clone the repository
git clone <repository-url>
cd damn-vulnerable-go

# Install dependencies
go mod tidy

# Build
go build -o vulnerable_app vulnerable_app.go

# Run
./vulnerable_app
```

### Extending the Application

To add new vulnerabilities:

1. Create a new handler function in `vulnerable_app.go`
2. Add the route in the `main()` function
3. Document the vulnerability in `VULNERABILITIES.md`
4. Add test cases to `test_vulnerabilities.sh`
5. Update the web interface in `web/index.html`

## 📄 License

This project is licensed under the Apache License 2.0 - see the [LICENSE](LICENSE) file for details.

## ⚖️ Legal Disclaimer

This application is created solely for educational and training purposes. The authors and contributors:

- Are not responsible for any misuse of this application
- Do not encourage or condone malicious activities
- Strongly advise against deploying this in production environments
- Recommend using this only in controlled, isolated environments

## 🤝 Contributing

Contributions are welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Add new vulnerabilities or improve existing ones
4. Update documentation
5. Submit a pull request

### Contribution Guidelines

- Follow Go best practices (ironically, while creating vulnerable code)
- Document all vulnerabilities thoroughly
- Provide test cases for new vulnerabilities
- Update the web interface for new endpoints
- Ensure code is well-commented for educational purposes

## 🙏 Acknowledgments

- OWASP for vulnerability classifications and guidelines
- Go security community for best practices documentation
- Security researchers who identify and document these vulnerability patterns

## 📞 Support

For questions, issues, or educational discussions:

- Open an issue in the repository
- Check the documentation in `VULNERABILITIES.md`
- Review the test scripts for usage examples

---

**Remember**: The goal is to learn about security vulnerabilities to build more secure applications. Use this knowledge responsibly! 🛡️
