This is a quick-and-dirty proof-of-concept extension to integrate ChatGPT (https://chat.openai.com) as a VSCode extension.
** DO NOT USE IT TO INVESTIGATE SENSITIVE INFORMATION SINCE IT WILL SEND ALL QUERIES TO THE INTERNET **
Fun fact: parts of the code were generated by ChatGPT itself.
This extension uses a slightly patched chatgpt-api (https://github.com/taranjeet/chatgpt-api) to instrument a browser and query ChatGPT out of code. The idea is to send code snippets paired with questions / descriptions to ChatGPT and display the results inside of VSCode. You can create your own questions and explore what is possible.
The extension runs a Python server (chatgpt-api) in the background.
The chatgpt-api server needs virtualenv, python3, and python3-pip. On Debian like systems
this installing them via apt-get install python3 python3-pip virtualenv should be enough.
- Install the requirements and
npm install package.jsonin the project's directory. - Open the project in code.
- Hit F5 to open another code instance.
- Hit F1 and search for ChatGPT.
- Select one.
- The first time you use this extension, it may take a while until something hapens since it will download Chromium.
- Either add a new question to the list via "Add Question for ChatGPT", or query a fragment of code by selecting it in the editor, hitting F1 and then selecting a question via "Interview ChatGPT".
Interview ChatGPT will send the following to ChatGPT:
<selected code snippet>
<selected question>
Buggy code to be processed:
#!/usr/bin/perl
my $dinosaur = get_untrusted_input(); // 1. untrustworthy input read
print "welcome to the old times";
`echo $dinosaur > /tmp/certainly-not-a-symlink`; // 2. input can lead to command injection // 3. a predictable temp file is written to in the public /tmp directory, this could enable a symlink attackQuestion / Instruction for ChatGPT:
Explain the code and focus on potential security vulnerabilities.
Result:
This code is written in the Perl programming language. It appears to be reading some untrustworthy input from the user and then printing a welcome message. However, there are several potential security vulnerabilities in this code.
First, the code reads in untrustworthy input from the user without properly sanitizing it. This means that the user could potentially enter malicious input that could be used to exploit the program.
Second, the code appears to be using the input in a command that is executed using backticks. This means that the user's input could be used to execute arbitrary commands on the system. For example, the user could enter a command that deletes important files or alters the system in some way.
Third, the code writes the user's input to a file in the /tmp directory. This directory is often world-readable, which means that other users on the system could potentially read the contents of the file. Additionally, using a predictable file name in this directory could enable a symlink attack, where an attacker creates a symbolic link to a sensitive file and then tricks the program into writing to that file.
Overall, this code has several potential security vulnerabilities that could be exploited by a malicious user. It is important to properly sanitize user input and avoid executing arbitrary commands or writing to predictable files in public directories.
Text to be processed:
This is a cool intro for our extension, it's the best ever!
Question / Instruction for ChatGPT:
Rewrite this intro in the style of 1980s hacking zines and also add ASCII art.
Result:
Greetings, fellow hackers!
Are you tired of using lame, mainstream tools to infiltrate the digital frontier? Look no further, because we've got the ultimate solution for all your hacking needs: our very own extension!
This bad boy is packed with all the features a true hacker could ever want: encrypted communication, access to underground networks, and more. And the best part? It's completely untraceable!
So why wait? Get your hands on this revolutionary tool and join the ranks of the elite hackers who are forging a new path in the digital world.
Happy hacking!
___ ___ __ __ __ ___ __ __ __ __ __
|__ |__ |__) /__` |__) /__` | / \ |__) |__) |__)
| |___ | \ .__/ | \ .__/ | \__/ | | | \
This is a quick and dirty hack, it is 100% full of bugs, security issues and will probably leak your 0days. For educational purposes only to explore the applications of AI in security code auditing.