README.md
Rendering markdown...
# Contributing to ChromSploit Framework
Thank you for your interest in contributing to ChromSploit Framework! This guide will help you get started with contributing effectively and responsibly.
## Table of Contents
- [Code of Conduct](#code-of-conduct)
- [Getting Started](#getting-started)
- [Types of Contributions](#types-of-contributions)
- [Development Setup](#development-setup)
- [Contribution Guidelines](#contribution-guidelines)
- [Pull Request Process](#pull-request-process)
- [Security Considerations](#security-considerations)
- [Community](#community)
## Code of Conduct
### Our Commitment
We are committed to providing a welcoming, inclusive, and harassment-free environment for all contributors, regardless of background, experience level, or identity.
### Expected Behavior
- **Be respectful** in all communications and interactions
- **Be collaborative** and help others learn and grow
- **Be constructive** when providing feedback or criticism
- **Focus on security research** and educational value
- **Respect responsible disclosure** principles
### Unacceptable Behavior
- Harassment, discrimination, or personal attacks
- Sharing exploits for malicious purposes
- Violating computer crime laws or terms of service
- Disclosing vulnerabilities without proper coordination
- Spamming or trolling in project communications
### Enforcement
Code of conduct violations should be reported to the project maintainers at [email protected]. All reports will be investigated promptly and fairly.
## Getting Started
### Prerequisites
Before contributing, ensure you have:
- **Python 3.9+** installed
- **Git** knowledge and setup
- **Basic understanding** of web security concepts
- **Development environment** set up (see [Development Setup](#development-setup))
### Finding Ways to Contribute
Good first contributions include:
- **Bug fixes** - Fix reported issues
- **Documentation** - Improve guides and examples
- **Tests** - Add or improve test coverage
- **Tooling** - Enhance development workflow
- **Translations** - Help with internationalization
Check our [Issues](https://github.com/yourusername/ChromSploit-Framework/issues) page for:
- `good first issue` - Beginner-friendly tasks
- `help wanted` - Tasks needing contributors
- `documentation` - Documentation improvements
- `enhancement` - Feature requests
## Types of Contributions
### 1. Bug Reports
When reporting bugs:
```markdown
**Bug Description**
Clear description of the issue
**Steps to Reproduce**
1. Go to...
2. Click on...
3. See error
**Expected Behavior**
What should happen
**Actual Behavior**
What actually happens
**Environment**
- OS: [e.g., Ubuntu 20.04]
- Python version: [e.g., 3.9.2]
- ChromSploit version: [e.g., v2.2]
**Additional Context**
Screenshots, logs, or other helpful information
```
### 2. Feature Requests
For new features:
```markdown
**Feature Description**
Clear description of the requested feature
**Use Case**
Why is this feature needed? What problem does it solve?
**Proposed Solution**
How would you like this implemented?
**Alternative Solutions**
Any alternative approaches considered
**Security Considerations**
How does this affect framework security?
```
### 3. CVE Exploit Contributions
When contributing new exploits:
- **Verify CVE exists** in official databases
- **Use public PoCs only** - no zero-days
- **Follow template structure** (see `exploits/template_exploit.py`)
- **Include simulation mode** implementation
- **Add comprehensive tests**
- **Document security implications**
Example exploit contribution:
```python
# exploits/cve_2025_xxxxx.py
class CVE2025_XXXXX_Exploit:
"""
CVE-2025-XXXXX: Brief description
References:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-XXXXX
- https://github.com/researcher/poc-repo
"""
def __init__(self):
self.cve_id = "CVE-2025-XXXXX"
self.description = "Vulnerability description"
# ... implementation following framework patterns
```
### 4. Module Contributions
For new framework modules:
- **Follow architecture patterns** (see docs/ARCHITECTURE.md)
- **Implement proper error handling**
- **Include fallback mechanisms**
- **Add comprehensive documentation**
- **Provide usage examples**
### 5. Documentation Improvements
Documentation contributions can include:
- **API documentation** improvements
- **Usage examples** and tutorials
- **Architecture** explanations
- **Security guidelines** updates
- **Translation** to other languages
## Development Setup
### 1. Fork and Clone
```bash
# Fork the repository on GitHub, then clone your fork
git clone https://github.com/YOUR_USERNAME/ChromSploit-Framework.git
cd ChromSploit-Framework
# Add upstream remote
git remote add upstream https://github.com/original/ChromSploit-Framework.git
```
### 2. Environment Setup
```bash
# Create development environment
python3 -m venv venv-dev
source venv-dev/bin/activate # Linux/macOS
# venv-dev\Scripts\activate # Windows
# Install development dependencies
pip install -r requirements-dev.txt
# Install pre-commit hooks
pre-commit install
# Verify setup
python chromsploit.py --check
python -m pytest tests/ -v
```
### 3. Development Workflow
```bash
# Create feature branch
git checkout -b feature/my-new-feature
# Make changes and test
python -m pytest tests/
python -m flake8 .
python -m black . --check
# Commit with conventional format
git commit -m "feat: add new CVE exploit implementation"
# Push to your fork
git push origin feature/my-new-feature
# Create pull request on GitHub
```
## Contribution Guidelines
### Code Style
We follow these coding standards:
#### Python Code Style
```python
# Use Black formatting (120 character line limit)
black . --line-length 120
# Follow PEP 8 with these additions:
# - Type hints for function signatures
# - Comprehensive docstrings
# - Descriptive variable names
def process_exploit_result(
result: Dict[str, Any],
cve_id: str,
simulation_mode: bool = True
) -> Dict[str, Any]:
"""
Process and sanitize exploit execution results.
Args:
result: Raw exploit execution result
cve_id: CVE identifier for logging
simulation_mode: Whether this was a simulated execution
Returns:
Processed and sanitized result dictionary
Raises:
ValidationError: If result format is invalid
"""
# Implementation here
```
#### Import Organization
```python
# Standard library imports
import json
import logging
from datetime import datetime
from typing import Dict, Any, Optional
# Third-party imports
import requests
from colorama import Fore, Style
# Local imports
from core.enhanced_logger import get_logger
from core.error_handler import handle_errors
from modules.obfuscation import PayloadObfuscator
```
#### Error Handling
```python
# Use framework error handling
@handle_errors
def risky_operation():
"""Function that might raise exceptions"""
pass
# Or explicit error handling
try:
result = dangerous_operation()
except SpecificException as e:
logger.error(f"Operation failed: {e}")
return {'success': False, 'error': str(e)}
```
### Testing Requirements
All contributions must include appropriate tests:
#### Test Structure
```python
# tests/test_exploits/test_cve_yyyy_xxxxx.py
import pytest
from unittest.mock import patch, MagicMock
from exploits.cve_yyyy_xxxxx import CVE20YY_XXXXX_Exploit
class TestCVE20YY_XXXXX:
"""Test suite for CVE-20YY-XXXXX exploit"""
def setup_method(self):
"""Setup test environment"""
self.exploit = CVE20YY_XXXXX_Exploit()
self.test_target = "http://test.example.com"
def test_simulation_execution(self):
"""Test simulation mode execution"""
result = self.exploit.execute(self.test_target)
assert result['success'] is True
assert result['metadata']['simulation'] is True
assert result['cve_id'] == "CVE-20YY-XXXXX"
@patch('exploits.cve_yyyy_xxxxx.requests.post')
def test_real_execution_mocked(self, mock_post):
"""Test real execution with mocked network calls"""
# Mock setup
mock_response = MagicMock()
mock_response.status_code = 200
mock_post.return_value = mock_response
# Test execution
self.exploit.set_parameter('simulation_mode', False)
result = self.exploit.execute(self.test_target)
# Assertions
assert mock_post.called
assert result['success'] is True
```
#### Test Coverage
- **Unit tests** for individual functions/methods
- **Integration tests** for module interactions
- **Security tests** for input validation
- **Performance tests** for critical paths
Run tests with coverage:
```bash
# Run all tests with coverage
python -m pytest --cov=core --cov=exploits --cov=modules --cov-report=html
# Test specific components
python -m pytest tests/test_exploits/ -v
python -m pytest tests/test_core/ -v
# Run security tests
python -m pytest tests/test_security/ -v
```
### Documentation Standards
#### Docstring Format
```python
def complex_function(
param1: str,
param2: Dict[str, Any],
param3: Optional[bool] = None
) -> Tuple[bool, str]:
"""
One-line summary of function purpose.
Longer description explaining the function's behavior,
any important implementation details, and usage notes.
Args:
param1: Description of first parameter including format
param2: Description of dictionary parameter with expected keys
param3: Optional parameter with default behavior description
Returns:
Tuple containing:
- bool: Success status
- str: Result message or error description
Raises:
ValueError: If param1 is invalid format
KeyError: If param2 missing required keys
Example:
>>> success, message = complex_function("test", {"key": "value"})
>>> print(f"Success: {success}, Message: {message}")
Success: True, Message: Operation completed
Note:
This function has side effects and may modify global state.
"""
# Implementation
```
#### Markdown Documentation
```markdown
# Clear Section Headers
## Subsection with Purpose
Brief introduction explaining what this section covers.
### Code Examples
Provide working code examples:
```python
# Working example with comments
example = ExampleClass()
result = example.method(parameter="value")
```
### Important Notes
> **Warning**: Highlight security or safety considerations
> **Note**: Additional context or tips
```
### Commit Message Format
Use conventional commit format:
```
type(scope): description
[optional body]
[optional footer]
```
**Types:**
- `feat`: New feature
- `fix`: Bug fix
- `docs`: Documentation changes
- `style`: Code style changes (formatting, etc.)
- `refactor`: Code refactoring
- `test`: Adding or modifying tests
- `chore`: Maintenance tasks
**Examples:**
```
feat(exploits): add CVE-2025-12345 Chrome RCE exploit
Implement comprehensive Chrome remote code execution exploit
based on public PoC from security researcher. Includes:
- Mojo IPC payload generation
- Multi-stage exploitation
- Comprehensive test suite
Closes #123
fix(core): resolve module loading race condition
Fixed race condition in module loader that occurred when
multiple modules were loaded simultaneously. Added proper
locking mechanism and improved error handling.
Fixes #456
docs(api): update browser chain API documentation
Added missing parameters and improved examples for the
enhanced browser exploit chain API.
```
## Pull Request Process
### 1. Before Creating PR
- [ ] Code follows style guidelines
- [ ] All tests pass
- [ ] Documentation is updated
- [ ] Security implications considered
- [ ] CHANGELOG.md updated (if applicable)
```bash
# Pre-PR checklist commands
python -m pytest tests/ -v
python -m flake8 .
python -m black . --check
python -m mypy chromsploit.py --ignore-missing-imports
bandit -r . -x tests/
```
### 2. PR Template
```markdown
## Description
Brief description of changes and motivation.
## Type of Change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Documentation update
## Testing
- [ ] Unit tests added/updated
- [ ] Integration tests added/updated
- [ ] Manual testing completed
- [ ] Security testing performed
## Security Considerations
- [ ] No sensitive data exposed
- [ ] Input validation implemented
- [ ] Simulation mode implemented (for exploits)
- [ ] Audit logging added
## Checklist
- [ ] Code follows project style guidelines
- [ ] Self-review completed
- [ ] Documentation updated
- [ ] Tests added and passing
- [ ] No conflicts with main branch
## Screenshots (if applicable)
Add screenshots for UI changes or new features.
## Additional Notes
Any additional information or context.
```
### 3. Review Process
PRs will be reviewed for:
- **Code quality** and adherence to standards
- **Security implications** and safety measures
- **Test coverage** and quality
- **Documentation** completeness
- **Performance** impact
- **Breaking changes** assessment
### 4. Feedback and Iteration
- Address reviewer feedback promptly
- Make requested changes in new commits
- Engage in constructive discussion
- Update documentation as needed
## Security Considerations
### Responsible Disclosure
When contributing security-related content:
1. **Use only public information** - no zero-days or unreported vulnerabilities
2. **Follow responsible disclosure** - coordinate with vendors when appropriate
3. **Implement simulation mode** - all exploits must have safe simulation
4. **Document security implications** - explain risks and mitigations
### Security Review Process
Security-sensitive contributions undergo additional review:
- **Security team review** for exploit contributions
- **Threat modeling** for new features
- **Penetration testing** for significant changes
- **Third-party audit** for major releases
### Security Reporting
To report security issues in contributions:
1. Email [email protected] (not GitHub issues)
2. Include detailed information
3. Allow reasonable response time
4. Follow coordinated disclosure
## Recognition
### Contributors
All contributors are recognized in:
- **CONTRIBUTORS.md** file
- **Release notes** for significant contributions
- **GitHub contributors** page
- **Annual contributor highlights**
### Types of Recognition
- **Code contributors** - Direct code contributions
- **Security researchers** - Vulnerability research and responsible disclosure
- **Documentation contributors** - Documentation improvements
- **Community supporters** - Help with issues, discussions, and community building
- **Translators** - Internationalization efforts
### Hall of Fame
Outstanding contributors may be recognized in our Hall of Fame for:
- Significant code contributions
- Important security research
- Community leadership
- Long-term project support
## Community
### Communication Channels
- **GitHub Issues** - Bug reports and feature requests
- **GitHub Discussions** - General discussion and Q&A
- **Security Email** - [email protected] (private security issues)
- **Contributor Chat** - Discord/Slack (invitation required)
### Getting Help
If you need help contributing:
1. **Check documentation** - README, docs/, and CLAUDE.md
2. **Search existing issues** - someone may have asked already
3. **Ask in discussions** - GitHub Discussions for general questions
4. **Contact maintainers** - for specific contribution questions
### Community Events
We organize regular community events:
- **Monthly contributor calls** - Progress updates and coordination
- **Security research showcases** - Present findings and techniques
- **Documentation sprints** - Collaborative documentation improvement
- **Code review sessions** - Learn best practices
## License
By contributing to ChromSploit Framework, you agree that your contributions will be licensed under the same license as the project (MIT License). You confirm that:
- You have the right to submit the contributions
- Your contributions are your original work or properly attributed
- You understand the security and ethical implications
- You agree to the project's Code of Conduct
## Thank You
Thank you for contributing to ChromSploit Framework! Your contributions help make security research more accessible, educational, and effective. Together, we can build a powerful tool for the security community while maintaining the highest standards of responsibility and ethics.
---
**Questions?** Feel free to reach out via GitHub Discussions or email the maintainers at [email protected].