apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-15 20:05:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

719
src/auth_analysis/checks.rs Normal file
View file

@ -0,0 +1,719 @@
use super::config::AuthAnalysisRules;
use super::model::{
AnalysisUnit, AuthCheck, AuthCheckKind, AuthorizationModel, OperationKind, SensitiveOperation,
ValueRef, ValueSourceKind,
};
use crate::patterns::Severity;
#[derive(Debug, Clone)]
pub struct AuthFinding {
pub rule_id: String,
pub severity: Severity,
pub span: (usize, usize),
pub message: String,
}
pub fn run_checks(model: &AuthorizationModel, rules: &AuthAnalysisRules) -> Vec<AuthFinding> {
let mut findings = Vec::new();
findings.extend(check_admin_routes(model, rules));
findings.extend(check_ownership_gaps(model, rules));
findings.extend(check_partial_batch_authorization(model, rules));
findings.extend(check_stale_authorization(model, rules));
findings.extend(check_token_override_without_validation(model, rules));
findings.sort_by(|a, b| a.span.cmp(&b.span).then_with(|| a.rule_id.cmp(&b.rule_id)));
findings.dedup_by(|a, b| a.span == b.span && a.rule_id == b.rule_id);
findings
}
fn check_admin_routes(model: &AuthorizationModel, rules: &AuthAnalysisRules) -> Vec<AuthFinding> {
let mut findings = Vec::new();
for route in &model.routes {
let Some(unit) = model.units.get(route.unit_idx) else {
continue;
};
let requires_admin =
rules.requires_admin_path(&route.path) || route_is_admin_sensitive(unit);
if !requires_admin {
continue;
}
let has_admin = route
.middleware_calls
.iter()
.any(|mw| rules.is_admin_guard(&mw.name, &mw.args));
let has_login = route
.middleware_calls
.iter()
.any(|mw| rules.is_login_guard(&mw.name) || rules.is_admin_guard(&mw.name, &mw.args));
if !has_admin && has_login {
findings.push(AuthFinding {
rule_id: rules.rule_id("admin_route_missing_admin_check"),
severity: Severity::High,
span: route.handler_span,
message: format!(
"route `{}` appears admin-sensitive but its middleware only enforces login-level access",
route.path
),
});
}
}
findings
}
fn check_ownership_gaps(model: &AuthorizationModel, rules: &AuthAnalysisRules) -> Vec<AuthFinding> {
let mut findings = Vec::new();
for unit in &model.units {
for op in &unit.operations {
if op.kind == OperationKind::TokenLookup {
continue;
}
// `InMemoryLocal` sinks (HashMap/HashSet/Vec/… local
// bookkeeping) are never authorization-relevant.
if op.sink_class.is_some_and(|c| !c.is_auth_relevant()) {
continue;
}
if op.kind == OperationKind::Read && unit_is_auth_helper(unit) {
continue;
}
let relevant_subjects: Vec<&ValueRef> = op
.subjects
.iter()
.filter(|s| is_relevant_target_subject(s, unit))
.collect();
if relevant_subjects.is_empty() {
continue;
}
if op.kind == OperationKind::Read || op.kind == OperationKind::Mutation {
if is_delegated_read_with_actor_context(unit, op, &relevant_subjects) {
continue;
}
if !has_prior_subject_auth(unit, op, &relevant_subjects) {
findings.push(AuthFinding {
rule_id: rules.rule_id("missing_ownership_check"),
severity: Severity::High,
span: op.span,
message: format!(
"operation `{}` uses scoped identifier input without a preceding ownership or membership check",
op.callee
),
});
}
}
}
}
findings
}
fn check_partial_batch_authorization(
model: &AuthorizationModel,
rules: &AuthAnalysisRules,
) -> Vec<AuthFinding> {
let mut findings = Vec::new();
for unit in &model.units {
for op in &unit.operations {
// In-memory bookkeeping is never a batch sink.
if op.sink_class.is_some_and(|c| !c.is_auth_relevant()) {
continue;
}
let batch_subjects: Vec<&ValueRef> = op
.subjects
.iter()
.filter(|subject| is_batch_collection(subject))
.collect();
if batch_subjects.is_empty() {
continue;
}
let partial_check = unit.auth_checks.iter().any(|check| {
check.line <= op.line
&& check.subjects.iter().any(|subject| {
subject.source_kind == ValueSourceKind::ArrayIndex
&& subject.base.as_ref().is_some_and(|base| {
batch_subjects
.iter()
.any(|op_subject| op_subject.name == *base)
})
})
});
let full_collection_check = has_prior_collection_auth(unit, op, &batch_subjects);
if partial_check && !full_collection_check {
findings.push(AuthFinding {
rule_id: rules.rule_id("partial_batch_authorization"),
severity: Severity::High,
span: op.span,
message: format!(
"batch operation `{}` authorizes only a single indexed element before acting on the full collection",
op.callee
),
});
}
}
}
findings
}
fn check_stale_authorization(
model: &AuthorizationModel,
rules: &AuthAnalysisRules,
) -> Vec<AuthFinding> {
let mut findings = Vec::new();
for unit in &model.units {
for op in unit.operations.iter().filter(|operation| {
operation.kind == OperationKind::Mutation
&& operation.sink_class.is_none_or(|c| c.is_auth_relevant())
}) {
let session_subject = op.subjects.iter().any(is_stale_session_subject);
if !session_subject {
continue;
}
let has_fresh_auth = unit.auth_checks.iter().any(|check| {
check.line <= op.line
&& matches!(
check.kind,
AuthCheckKind::Ownership
| AuthCheckKind::Membership
| AuthCheckKind::AdminGuard
| AuthCheckKind::Other
)
});
if !has_fresh_auth {
findings.push(AuthFinding {
rule_id: rules.rule_id("stale_authorization"),
severity: Severity::Medium,
span: op.span,
message: format!(
"mutation `{}` relies on session-carried state without a fresh authorization check",
op.callee
),
});
}
}
}
findings
}
fn check_token_override_without_validation(
model: &AuthorizationModel,
rules: &AuthAnalysisRules,
) -> Vec<AuthFinding> {
let mut findings = Vec::new();
for unit in &model.units {
let Some(token_lookup) = unit
.operations
.iter()
.find(|operation| operation.kind == OperationKind::TokenLookup)
else {
continue;
};
let Some(final_write) = unit.operations.iter().rev().find(|operation| {
operation.kind == OperationKind::Mutation && operation.line >= token_lookup.line
}) else {
continue;
};
let override_pattern = (final_write.text.contains("||")
|| final_write
.text
.split(|ch: char| !ch.is_ascii_alphanumeric() && ch != '_')
.any(|segment| segment.eq_ignore_ascii_case("or")))
&& final_write
.subjects
.iter()
.any(|subject| subject.source_kind == ValueSourceKind::TokenField)
&& final_write
.subjects
.iter()
.any(|subject| subject.source_kind != ValueSourceKind::TokenField);
let has_expiry_check = unit
.auth_checks
.iter()
.any(|check| check.kind == AuthCheckKind::TokenExpiry)
|| unit
.condition_texts
.iter()
.any(|condition| rules.has_expiry_field(condition));
let has_recipient_check = unit
.auth_checks
.iter()
.any(|check| check.kind == AuthCheckKind::TokenRecipient)
|| unit
.condition_texts
.iter()
.any(|condition| rules.has_recipient_field(condition));
if override_pattern || !has_expiry_check || !has_recipient_check {
let mut missing = Vec::new();
if override_pattern {
missing.push("request data overrides token-bound values");
}
if !has_expiry_check {
missing.push("token expiration is not validated");
}
if !has_recipient_check {
missing.push("token recipient identity is not validated");
}
findings.push(AuthFinding {
rule_id: rules.rule_id("token_override_without_validation"),
severity: Severity::High,
span: final_write.span,
message: format!(
"token acceptance flow writes through `{}` without validating that {}",
final_write.callee,
missing.join(", ")
),
});
}
}
findings
}
fn route_is_admin_sensitive(unit: &AnalysisUnit) -> bool {
unit.call_sites.iter().any(|call| {
let lower = call.name.to_ascii_lowercase();
lower.contains("admin") || lower.contains("impersonat") || lower.contains("role")
})
}
fn has_prior_subject_auth(
unit: &AnalysisUnit,
op: &SensitiveOperation,
subjects: &[&ValueRef],
) -> bool {
let relevant_checks = unit.auth_checks.iter().filter(|check| {
check.line <= op.line
&& !matches!(
check.kind,
AuthCheckKind::LoginGuard
| AuthCheckKind::TokenExpiry
| AuthCheckKind::TokenRecipient
)
});
relevant_checks.into_iter().any(|check| {
subjects
.iter()
.any(|subject| auth_check_covers_subject(check, subject, unit))
})
}
fn has_prior_collection_auth(
unit: &AnalysisUnit,
op: &SensitiveOperation,
subjects: &[&ValueRef],
) -> bool {
let relevant_checks = unit.auth_checks.iter().filter(|check| {
check.line <= op.line
&& !matches!(
check.kind,
AuthCheckKind::LoginGuard
| AuthCheckKind::TokenExpiry
| AuthCheckKind::TokenRecipient
)
});
relevant_checks.into_iter().any(|check| {
subjects.iter().any(|subject| {
check.subjects.iter().any(|check_subject| {
check_subject.source_kind != ValueSourceKind::ArrayIndex
&& canonical_subject_name(check_subject) == subject.name
})
})
})
}
fn auth_check_covers_subject(check: &AuthCheck, subject: &ValueRef, unit: &AnalysisUnit) -> bool {
let subject_key = canonical_subject_name(subject);
let subject_related_base = related_subject_base(subject);
// A2 + B3: walk the row-binding chain from this subject so a
// check subject naming any ancestor row covers downstream column
// reads. E.g. `group_id → row → rows`: a check on `rows` (the
// SQL-authorized result var) covers the subject `group_id`.
let subject_row_chain = row_binding_chain(unit, &subject.name);
// B3: if any ancestor row is in the SQL-authorized set, every
// ownership check materially covers this subject. We model this
// by treating the SQL synth check as covering whatever subject
// names share an ancestor in `authorized_sql_vars`.
let subject_anchor_authorized = subject_row_chain
.iter()
.any(|name| unit.authorized_sql_vars.contains(name));
check.subjects.iter().any(|check_subject| {
let check_key = canonical_subject_name(check_subject);
let check_related_base = related_subject_base(check_subject);
if check_key == subject_key
|| (subject_related_base.is_some() && subject_related_base == check_related_base)
|| (subject_related_base.as_ref() == Some(&check_key))
|| (check_related_base.as_ref() == Some(&subject_key))
{
return true;
}
for row in &subject_row_chain {
if check_key == *row || check_related_base.as_deref() == Some(row.as_str()) {
return true;
}
}
// B3: SQL synth checks name the auth-gated row var directly.
// If our subject's row chain leads into the same authorized
// var family this check anchors to, accept the coverage.
if subject_anchor_authorized && unit.authorized_sql_vars.contains(&check_key) {
return true;
}
false
})
}
/// Walk `unit.row_field_vars` transitively from `start` (inclusive)
/// to recover every ancestor row binding name. Cycle-safe via a
/// visited set; depth-bounded at 16 hops to keep the worst case
/// trivial. Returns a vec containing `start` followed by each
/// ancestor — empty when `start` is empty.
fn row_binding_chain(unit: &AnalysisUnit, start: &str) -> Vec<String> {
let mut chain: Vec<String> = Vec::new();
if start.is_empty() {
return chain;
}
let mut cur = start.to_string();
let mut seen: std::collections::HashSet<String> = std::collections::HashSet::new();
let mut hops = 0;
while hops < 16 && seen.insert(cur.clone()) {
chain.push(cur.clone());
let Some(next) = unit.row_field_vars.get(&cur) else {
break;
};
cur = next.clone();
hops += 1;
}
chain
}
fn canonical_subject_name(subject: &ValueRef) -> String {
match subject.source_kind {
ValueSourceKind::ArrayIndex => subject.base.clone().unwrap_or_else(|| subject.name.clone()),
_ => subject.name.clone(),
}
}
fn related_subject_base(subject: &ValueRef) -> Option<String> {
let base = subject.base.as_deref()?;
let lower = base.to_ascii_lowercase();
if lower == "req"
|| lower.starts_with("req.")
|| lower == "request"
|| lower.starts_with("request.")
|| lower == "ctx"
|| lower.starts_with("ctx.")
|| lower == "session"
|| lower.starts_with("session.")
{
None
} else {
Some(base.to_string())
}
}
fn is_relevant_target_subject(subject: &ValueRef, unit: &AnalysisUnit) -> bool {
is_id_like(subject) && !is_actor_context_subject(subject, unit)
}
fn is_actor_context_subject(subject: &ValueRef, unit: &AnalysisUnit) -> bool {
if is_self_scoped_session_subject(subject) {
return true;
}
// A3: `V.id`-shape subjects where `V` is bound from a login-guard /
// auth-check call (or from a typed self-actor extractor parameter)
// are the caller's own id. `V.group_id` / `V.workspace_id` stay
// relevant — only self-identifier fields trip this branch, so
// foreign scoped ids on the same actor binding still flag.
if let Some(base) = subject.base.as_deref() {
let root = base.split('.').next().unwrap_or(base);
if unit.self_actor_vars.contains(root)
&& subject.field.as_deref().is_some_and(is_self_actor_id_field)
{
return true;
}
}
// Transitive copy of `V.id`: `let uid = user.id; query(.., &[uid])`
// — the subject `uid` is a plain identifier with no base/field, but
// was recorded as a self-actor id copy at extract time. Treat it
// as actor context.
if unit.self_actor_id_vars.contains(&subject.name) {
return true;
}
matches!(
subject_identity_key(subject).as_deref(),
Some(
"ownerid"
| "authorid"
| "actorid"
| "currentuserid"
| "uploaderid"
| "createdby"
| "updatedby"
)
)
}
fn is_self_actor_id_field(field: &str) -> bool {
let lower = field.to_ascii_lowercase();
matches!(
lower.as_str(),
"id" | "user_id" | "userid" | "uid"
// Self-publish / self-channel fields: when the receiver
// is bound from `require_auth(..)`, `user.email` /
// `user.username` / `user.handle` reference the actor's
// own identity (e.g. `realtime.publish_to_user(&user.email,
// ...)` is a self-channel publish, not a foreign target).
| "email" | "username" | "handle"
)
}
fn subject_identity_key(subject: &ValueRef) -> Option<String> {
let raw = match subject.source_kind {
ValueSourceKind::ArrayIndex => subject.base.as_deref().unwrap_or(&subject.name),
_ => subject
.field
.as_deref()
.or(subject.base.as_deref())
.unwrap_or(&subject.name),
};
let key: String = raw
.chars()
.filter(|c| c.is_ascii_alphanumeric())
.map(|c| c.to_ascii_lowercase())
.collect();
if key.is_empty() { None } else { Some(key) }
}
fn is_self_scoped_session_subject(subject: &ValueRef) -> bool {
subject.source_kind == ValueSourceKind::Session
&& subject
.base
.as_deref()
.is_some_and(is_self_scoped_session_base)
}
fn is_self_scoped_session_base(base: &str) -> bool {
matches!(
base,
"req.session.user"
| "request.session.user"
| "session.user"
| "req.session.currentUser"
| "request.session.currentUser"
| "session.currentUser"
| "req.user"
| "request.user"
| "req.currentUser"
| "request.currentUser"
| "ctx.session.user"
| "ctx.session.currentUser"
| "ctx.state.user"
| "ctx.state.currentUser"
)
}
fn is_stale_session_subject(subject: &ValueRef) -> bool {
subject.source_kind == ValueSourceKind::Session
&& is_id_like(subject)
&& !is_self_scoped_session_subject(subject)
}
fn unit_is_auth_helper(unit: &AnalysisUnit) -> bool {
let Some(name) = unit.name.as_deref() else {
return false;
};
let normalized: String = name
.chars()
.filter(|c| c.is_ascii_alphanumeric())
.map(|c| c.to_ascii_lowercase())
.collect();
(normalized.starts_with("has")
|| normalized.starts_with("check")
|| normalized.starts_with("require")
|| normalized.starts_with("verify")
|| normalized.starts_with("authorize")
|| normalized.starts_with("can")
|| normalized.starts_with("is"))
&& (normalized.contains("membership")
|| normalized.contains("ownership")
|| normalized.contains("access")
|| normalized.contains("permission")
|| normalized.contains("authoriz"))
}
fn is_delegated_read_with_actor_context(
unit: &AnalysisUnit,
op: &SensitiveOperation,
relevant_subjects: &[&ValueRef],
) -> bool {
unit.kind == super::model::AnalysisUnitKind::RouteHandler
&& op.kind == OperationKind::Read
&& op.callee.to_ascii_lowercase().contains("service")
&& op.subjects.iter().any(is_self_scoped_session_subject)
&& relevant_subjects.iter().any(|subject| {
matches!(
subject.source_kind,
ValueSourceKind::RequestParam
| ValueSourceKind::RequestBody
| ValueSourceKind::RequestQuery
)
})
}
fn is_id_like(subject: &ValueRef) -> bool {
let field = subject
.field
.as_deref()
.or(subject.base.as_deref())
.unwrap_or(&subject.name);
let lower = field.to_ascii_lowercase();
lower == "id"
|| lower.ends_with("id")
|| lower.ends_with("_id")
|| lower.ends_with("ids")
|| lower.contains("workspaceid")
|| lower.contains("projectid")
|| lower.contains("noteid")
}
fn is_batch_collection(subject: &ValueRef) -> bool {
subject.source_kind == ValueSourceKind::Identifier
&& subject.name.to_ascii_lowercase().ends_with("ids")
}
#[cfg(test)]
mod tests {
use super::{is_actor_context_subject, is_relevant_target_subject};
use crate::auth_analysis::model::{AnalysisUnit, AnalysisUnitKind, ValueRef, ValueSourceKind};
use std::collections::{HashMap, HashSet};
fn empty_unit() -> AnalysisUnit {
AnalysisUnit {
kind: AnalysisUnitKind::Function,
name: Some("handle".into()),
span: (0, 0),
params: Vec::new(),
context_inputs: Vec::new(),
call_sites: Vec::new(),
auth_checks: Vec::new(),
operations: Vec::new(),
value_refs: Vec::new(),
condition_texts: Vec::new(),
line: 1,
row_field_vars: HashMap::new(),
self_actor_vars: HashSet::new(),
self_actor_id_vars: HashSet::new(),
authorized_sql_vars: HashSet::new(),
}
}
fn member(base: &str, field: &str) -> ValueRef {
ValueRef {
source_kind: ValueSourceKind::MemberField,
name: format!("{base}.{field}"),
base: Some(base.to_string()),
field: Some(field.to_string()),
index: None,
span: (0, 0),
}
}
#[test]
fn self_actor_var_widens_actor_context_for_self_id_fields() {
let mut unit = empty_unit();
unit.self_actor_vars.insert("user".into());
// `user.id`-shape subjects count as actor context now.
assert!(is_actor_context_subject(&member("user", "id"), &unit));
assert!(is_actor_context_subject(&member("user", "user_id"), &unit));
assert!(is_actor_context_subject(&member("user", "uid"), &unit));
// Pitfall guard: `user.group_id` / `user.workspace_id` stay
// relevant — only self-identifier fields trip the widening.
assert!(!is_actor_context_subject(
&member("user", "group_id"),
&unit
));
assert!(!is_actor_context_subject(
&member("user", "workspace_id"),
&unit
));
// Variables not in self_actor_vars fall back to the existing
// identity-key match — `target.id` still flags.
assert!(!is_actor_context_subject(&member("target", "id"), &unit));
}
#[test]
fn self_actor_var_suppresses_relevant_subject_for_self_id() {
let mut unit = empty_unit();
unit.self_actor_vars.insert("user".into());
assert!(!is_relevant_target_subject(&member("user", "id"), &unit));
// Foreign id on the same actor binding still matters.
assert!(is_relevant_target_subject(
&member("user", "group_id"),
&unit
));
}
fn plain(name: &str) -> ValueRef {
ValueRef {
source_kind: ValueSourceKind::Identifier,
name: name.to_string(),
base: None,
field: None,
index: None,
span: (0, 0),
}
}
/// Real-repo regression: `let uid = user.id; query(.., &[uid])`.
/// `uid` lives in `self_actor_id_vars` and the subject `uid`
/// (plain Local, no base/field) must count as actor context.
#[test]
fn self_actor_id_vars_widens_actor_context_for_plain_subjects() {
let mut unit = empty_unit();
unit.self_actor_id_vars.insert("uid".into());
// `uid` plain subject is recognised as actor context.
assert!(is_actor_context_subject(&plain("uid"), &unit));
// Plain identifiers NOT in the set still flag.
assert!(!is_actor_context_subject(&plain("trip_id"), &unit));
assert!(!is_actor_context_subject(&plain("doc_id"), &unit));
}
/// Self-publish identity fields: `&user.email` /
/// `&user.username` / `&user.handle` for a self-actor must be
/// recognised as actor context (real-repo `realtime::publish_to_user`
/// shape).
#[test]
fn self_actor_id_field_set_includes_email_username_handle() {
let mut unit = empty_unit();
unit.self_actor_vars.insert("user".into());
assert!(is_actor_context_subject(&member("user", "email"), &unit));
assert!(is_actor_context_subject(&member("user", "username"), &unit));
assert!(is_actor_context_subject(&member("user", "handle"), &unit));
// Foreign-user fields still flag.
assert!(!is_actor_context_subject(&member("target", "email"), &unit));
}
}

1617
src/auth_analysis/config.rs Normal file
View file

File diff suppressed because it is too large Load diff

273
src/auth_analysis/extract/actix_web.rs Normal file
View file

@ -0,0 +1,273 @@
use super::AuthExtractor;
use super::axum::{
GuardFramework, apply_aliases, dedup_call_sites, expanded_guard_call_sites,
guard_calls_for_handler, inject_guard_checks, rust_param_aliases,
};
use super::common::{
attach_route_handler, call_name, collect_top_level_units, named_children, resolve_handler_node,
string_literal_value,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{
AuthorizationModel, CallSite, Framework, HttpMethod, RouteRegistration,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct ActixWebExtractor;
impl AuthExtractor for ActixWebExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "rust"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::ActixWeb))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
collect_routes(root, root, bytes, path, rules, &mut model);
model
}
}
fn collect_routes(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_routes(root, child, bytes, path, rules, model);
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if call_name(node, bytes).rsplit('.').next() != Some("route") {
return;
}
let receiver = node.child_by_field_name("function").and_then(|function| {
function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
});
let receiver_spec = receiver
.map(|r| parse_service_receiver(r, bytes))
.unwrap_or_default();
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let (route_suffix, builder_node) = if args.len() >= 2 {
let Some(route_path) = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
else {
return;
};
let Some(builder_node) = args.get(1).copied() else {
return;
};
(route_path, builder_node)
} else if args.len() == 1 && !receiver_spec.resource_path.is_empty() {
(String::new(), args[0])
} else {
return;
};
let Some(spec) = parse_route_builder(builder_node, bytes) else {
return;
};
let Some(handler_node) = resolve_handler_node(root, spec.handler_expr, bytes) else {
return;
};
let Some(handler) = attach_route_handler(
root,
spec.handler_expr,
format!(
"{:?} {}",
spec.method,
join_paths(
&join_paths(&receiver_spec.scope_prefix, &receiver_spec.resource_path),
&route_suffix
)
),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = receiver_spec.middleware_calls;
middleware_calls.extend(spec.middleware_calls);
let guard_calls =
guard_calls_for_handler(handler_node, &route_suffix, bytes, GuardFramework::ActixWeb);
middleware_calls.extend(guard_calls.clone());
dedup_call_sites(&mut middleware_calls);
if let Some(unit) = model.units.get_mut(handler.unit_idx) {
let aliases =
rust_param_aliases(handler_node, &route_suffix, bytes, GuardFramework::ActixWeb);
apply_aliases(unit, &aliases);
inject_guard_checks(unit, &guard_calls, rules);
}
model.routes.push(RouteRegistration {
framework: Framework::ActixWeb,
method: spec.method,
path: join_paths(
&join_paths(&receiver_spec.scope_prefix, &receiver_spec.resource_path),
&route_suffix,
),
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span: handler.span,
handler_params: handler.params,
file: path.to_path_buf(),
line: handler.line,
unit_idx: handler.unit_idx,
middleware_calls,
});
}
#[derive(Default)]
struct ReceiverSpec {
scope_prefix: String,
resource_path: String,
middleware_calls: Vec<CallSite>,
}
fn parse_service_receiver(node: Node<'_>, bytes: &[u8]) -> ReceiverSpec {
if node.kind() != "call_expression" {
return ReceiverSpec::default();
}
let name = call_name(node, bytes);
let method = name.rsplit('.').next().unwrap_or_default();
let receiver = node.child_by_field_name("function").and_then(|function| {
function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
});
let mut spec = receiver
.map(|receiver| parse_service_receiver(receiver, bytes))
.unwrap_or_default();
match method {
"scope" => {
if let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(prefix) = named_children(arguments)
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
{
spec.scope_prefix = join_paths(&spec.scope_prefix, &prefix);
}
}
"resource" => {
if let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(path) = named_children(arguments)
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
{
spec.resource_path = path;
}
}
"wrap" | "guard" => {
if let Some(arguments) = node.child_by_field_name("arguments") {
for arg in named_children(arguments) {
spec.middleware_calls
.extend(expanded_guard_call_sites(arg, bytes));
}
}
}
_ => {}
}
spec
}
struct BuilderSpec<'tree> {
method: HttpMethod,
handler_expr: Node<'tree>,
middleware_calls: Vec<CallSite>,
}
fn parse_route_builder<'tree>(node: Node<'tree>, bytes: &[u8]) -> Option<BuilderSpec<'tree>> {
let name = call_name(node, bytes);
let method = name.rsplit('.').next().unwrap_or_default();
if matches!(method, "to" | "guard") {
let receiver = node.child_by_field_name("function").and_then(|function| {
function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
})?;
let mut spec = parse_route_builder(receiver, bytes)?;
if method == "to" {
let args = node
.child_by_field_name("arguments")
.map(named_children)
.unwrap_or_default();
spec.handler_expr = *args.last()?;
} else if let Some(arguments) = node.child_by_field_name("arguments") {
for arg in named_children(arguments) {
spec.middleware_calls
.extend(expanded_guard_call_sites(arg, bytes));
}
}
return Some(spec);
}
let method = actix_http_method(method)?;
Some(BuilderSpec {
method,
handler_expr: node,
middleware_calls: Vec::new(),
})
}
fn actix_http_method(name: &str) -> Option<HttpMethod> {
match name {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
_ => None,
}
}
fn join_paths(prefix: &str, route: &str) -> String {
match (prefix.trim_end_matches('/'), route.trim_start_matches('/')) {
("", "") => "/".to_string(),
("", route) => format!("/{route}"),
(prefix, "") => prefix.to_string(),
(prefix, route) => format!("{prefix}/{route}"),
}
}

617
src/auth_analysis/extract/axum.rs Normal file
View file

@ -0,0 +1,617 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_name, call_site_from_node, call_sites_from_value,
collect_top_level_units, function_definition_node, named_children, resolve_handler_node,
string_literal_value, text,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{
AuthCheck, AuthCheckKind, AuthorizationModel, CallSite, Framework, HttpMethod,
RouteRegistration, ValueRef, ValueSourceKind,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct AxumExtractor;
impl AuthExtractor for AxumExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "rust"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Axum))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
collect_routes(root, root, bytes, path, rules, &mut model);
model
}
}
fn collect_routes(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_routes(root, child, bytes, path, rules, model);
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if call_name(node, bytes).rsplit('.').next() != Some("route") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some(route_spec) = args.get(1).copied() else {
return;
};
let Some(spec) = parse_method_router(route_spec, bytes) else {
return;
};
let Some(handler_node) = resolve_handler_node(root, spec.handler_expr, bytes) else {
return;
};
let Some(handler) = attach_route_handler(
root,
spec.handler_expr,
format!("{:?} {}", spec.method, route_path),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = inherited_layer_calls(node, bytes);
middleware_calls.extend(spec.middleware_calls.clone());
let guard_calls =
guard_calls_for_handler(handler_node, &route_path, bytes, GuardFramework::Axum);
middleware_calls.extend(guard_calls.clone());
dedup_call_sites(&mut middleware_calls);
if let Some(unit) = model.units.get_mut(handler.unit_idx) {
let aliases = rust_param_aliases(handler_node, &route_path, bytes, GuardFramework::Axum);
apply_aliases(unit, &aliases);
inject_guard_checks(unit, &guard_calls, rules);
}
model.routes.push(RouteRegistration {
framework: Framework::Axum,
method: spec.method,
path: route_path,
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span: handler.span,
handler_params: handler.params,
file: path.to_path_buf(),
line: handler.line,
unit_idx: handler.unit_idx,
middleware_calls,
});
}
struct MethodRouterSpec<'tree> {
method: HttpMethod,
handler_expr: Node<'tree>,
middleware_calls: Vec<CallSite>,
}
fn parse_method_router<'tree>(node: Node<'tree>, bytes: &[u8]) -> Option<MethodRouterSpec<'tree>> {
let last = call_name(node, bytes).rsplit('.').next()?.to_string();
if let Some(method) = axum_http_method(&last) {
let args = node
.child_by_field_name("arguments")
.map(named_children)
.unwrap_or_default();
let handler_expr = *args.last()?;
return Some(MethodRouterSpec {
method,
handler_expr,
middleware_calls: Vec::new(),
});
}
if node.kind() != "call_expression" {
return None;
}
let function = node.child_by_field_name("function")?;
let receiver = function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))?;
let mut spec = parse_method_router(receiver, bytes)?;
match last.as_str() {
"layer" | "route_layer" => {
if let Some(arguments) = node.child_by_field_name("arguments") {
for arg in named_children(arguments) {
spec.middleware_calls
.extend(expanded_guard_call_sites(arg, bytes));
}
}
Some(spec)
}
_ => None,
}
}
fn axum_http_method(name: &str) -> Option<HttpMethod> {
match name {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
"any" => Some(HttpMethod::All),
_ => None,
}
}
fn inherited_layer_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let Some(function) = node.child_by_field_name("function") else {
return Vec::new();
};
let Some(receiver) = function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
else {
return Vec::new();
};
collect_layer_calls(receiver, bytes)
}
fn collect_layer_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
if node.kind() != "call_expression" {
return Vec::new();
}
let mut calls = Vec::new();
let name = call_name(node, bytes);
if matches!(name.rsplit('.').next(), Some("layer" | "route_layer"))
&& let Some(arguments) = node.child_by_field_name("arguments")
{
for arg in named_children(arguments) {
calls.extend(expanded_guard_call_sites(arg, bytes));
}
}
if let Some(function) = node.child_by_field_name("function")
&& let Some(receiver) = function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
{
calls.extend(collect_layer_calls(receiver, bytes));
}
calls
}
#[derive(Clone, Copy)]
pub(crate) enum GuardFramework {
Axum,
ActixWeb,
Rocket,
}
pub(crate) fn rust_param_aliases(
handler_node: Node<'_>,
route_path: &str,
bytes: &[u8],
framework: GuardFramework,
) -> HashMap<String, ValueSourceKind> {
let mut aliases = HashMap::new();
let Some(parameters) = function_definition_node(handler_node).child_by_field_name("parameters")
else {
return aliases;
};
let path_names = route_placeholder_names(route_path);
let query_names = route_query_placeholder_names(route_path);
for param in named_children(parameters) {
let param_text = text(param, bytes);
if param.kind() == "self_parameter" || param_text.trim().is_empty() {
continue;
}
let binding = rust_binding_name(&param_text);
let type_text = rust_param_type_text(param, bytes, &param_text);
if binding.is_empty() || type_text.is_empty() {
continue;
}
let kind = match framework {
GuardFramework::Axum => classify_axum_param(&binding, &type_text),
GuardFramework::ActixWeb => classify_actix_param(&binding, &type_text),
GuardFramework::Rocket => {
classify_rocket_param(&binding, &type_text, &path_names, &query_names)
}
};
if let Some(kind) = kind {
aliases.insert(binding, kind);
}
}
aliases
}
pub(crate) fn guard_calls_for_handler(
handler_node: Node<'_>,
route_path: &str,
bytes: &[u8],
framework: GuardFramework,
) -> Vec<CallSite> {
let mut calls = Vec::new();
let Some(parameters) = function_definition_node(handler_node).child_by_field_name("parameters")
else {
return calls;
};
let span = (handler_node.start_byte(), handler_node.end_byte());
let path_names = route_placeholder_names(route_path);
let query_names = route_query_placeholder_names(route_path);
for param in named_children(parameters) {
let param_text = text(param, bytes);
if param.kind() == "self_parameter" || param_text.trim().is_empty() {
continue;
}
let type_text = rust_param_type_text(param, bytes, &param_text);
let Some(kind) = (match framework {
GuardFramework::Axum => classify_guard_type(&type_text),
GuardFramework::ActixWeb => classify_guard_type(&type_text),
GuardFramework::Rocket => classify_rocket_guard_type(
&type_text,
&rust_binding_name(&param_text),
&path_names,
&query_names,
),
}) else {
continue;
};
let name = type_last_segment(&type_text);
if !name.is_empty() {
calls.push(CallSite {
name,
args: Vec::new(),
span,
args_value_refs: Vec::new(),
});
if matches!(kind, AuthCheckKind::AdminGuard) {
calls.push(CallSite {
name: "require_admin".to_string(),
args: Vec::new(),
span,
args_value_refs: Vec::new(),
});
}
}
}
dedup_call_sites(&mut calls);
calls
}
fn classify_axum_param(binding: &str, type_text: &str) -> Option<ValueSourceKind> {
if wrapper_type_matches(type_text, &["Path"]) {
Some(ValueSourceKind::RequestParam)
} else if wrapper_type_matches(type_text, &["Query"]) {
Some(ValueSourceKind::RequestQuery)
} else if wrapper_type_matches(type_text, &["Json", "Form"]) {
Some(ValueSourceKind::RequestBody)
} else if wrapper_type_matches(type_text, &["State", "Extension"]) || binding == "session" {
Some(ValueSourceKind::Session)
} else {
None
}
}
fn classify_actix_param(binding: &str, type_text: &str) -> Option<ValueSourceKind> {
if wrapper_type_matches(type_text, &["Path"]) {
Some(ValueSourceKind::RequestParam)
} else if wrapper_type_matches(type_text, &["Query"]) {
Some(ValueSourceKind::RequestQuery)
} else if wrapper_type_matches(type_text, &["Json", "Form"]) {
Some(ValueSourceKind::RequestBody)
} else if wrapper_type_matches(type_text, &["Session", "Identity", "ReqData"])
|| binding == "session"
{
Some(ValueSourceKind::Session)
} else {
None
}
}
fn classify_rocket_param(
binding: &str,
type_text: &str,
path_names: &[String],
query_names: &[String],
) -> Option<ValueSourceKind> {
if wrapper_type_matches(type_text, &["Json", "Form"]) {
Some(ValueSourceKind::RequestBody)
} else if wrapper_type_matches(type_text, &["State", "Session"]) || binding == "session" {
Some(ValueSourceKind::Session)
} else if query_names.iter().any(|name| name == binding) {
Some(ValueSourceKind::RequestQuery)
} else if path_names.iter().any(|name| name == binding) {
Some(ValueSourceKind::RequestParam)
} else {
None
}
}
fn classify_guard_type(type_text: &str) -> Option<AuthCheckKind> {
let lower = type_text.to_ascii_lowercase();
if is_extractor_wrapper(&lower) {
return None;
}
if lower.contains("admin") {
Some(AuthCheckKind::AdminGuard)
} else if lower.contains("user")
|| lower.contains("auth")
|| lower.contains("session")
|| lower.contains("identity")
{
Some(AuthCheckKind::LoginGuard)
} else {
None
}
}
fn classify_rocket_guard_type(
type_text: &str,
binding: &str,
path_names: &[String],
query_names: &[String],
) -> Option<AuthCheckKind> {
if path_names.iter().any(|name| name == binding)
|| query_names.iter().any(|name| name == binding)
{
return None;
}
classify_guard_type(type_text)
}
fn is_extractor_wrapper(lower: &str) -> bool {
lower.contains("path<")
|| lower.contains("query<")
|| lower.contains("json<")
|| lower.contains("form<")
|| lower.contains("state<")
|| lower.contains("extension<")
|| lower.contains("web::")
}
fn wrapper_type_matches(type_text: &str, wrappers: &[&str]) -> bool {
let normalized = type_text.replace(' ', "");
wrappers.iter().any(|wrapper| {
normalized.contains(&format!("{wrapper}<")) || normalized.contains(&format!("::{wrapper}<"))
})
}
fn rust_binding_name(param_text: &str) -> String {
let before_colon = param_text.split(':').next().unwrap_or(param_text).trim();
let tokens: Vec<&str> = before_colon
.split(|ch: char| !(ch.is_ascii_alphanumeric() || ch == '_'))
.filter(|token| !token.is_empty() && *token != "mut")
.collect();
tokens.last().copied().unwrap_or_default().to_string()
}
fn rust_param_type_text(param: Node<'_>, bytes: &[u8], param_text: &str) -> String {
param
.child_by_field_name("type")
.map(|node| text(node, bytes))
.or_else(|| {
param_text
.split_once(':')
.map(|(_, ty)| ty.trim().to_string())
})
.unwrap_or_default()
}
fn route_placeholder_names(route_path: &str) -> Vec<String> {
route_path
.split(['/', '<', '>', ':', '{', '}'])
.filter(|segment| !segment.is_empty())
.filter(|segment| !segment.contains('?'))
.filter(|segment| {
route_path.contains(&format!("<{segment}>"))
|| route_path.contains(&format!(":{segment}"))
|| route_path.contains(&format!("{{{segment}}}"))
})
.map(|segment| segment.to_string())
.collect()
}
fn route_query_placeholder_names(route_path: &str) -> Vec<String> {
let Some((_, query)) = route_path.split_once('?') else {
return Vec::new();
};
query
.split('&')
.filter_map(|segment| {
if let Some(name) = segment.strip_prefix('<').and_then(|s| s.strip_suffix('>')) {
Some(name.to_string())
} else {
segment
.split('=')
.next()
.map(str::trim)
.filter(|name| !name.is_empty())
.map(|name| name.to_string())
}
})
.collect()
}
fn type_last_segment(type_text: &str) -> String {
type_text
.trim_start_matches('&')
.split(|ch: char| !(ch.is_ascii_alphanumeric() || ch == '_' || ch == ':'))
.find(|segment| !segment.is_empty())
.and_then(|segment| segment.rsplit("::").next())
.unwrap_or_default()
.to_string()
}
pub(crate) fn expanded_guard_call_sites(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let mut calls = call_sites_from_value(node, bytes);
if node.kind() == "call_expression" {
let name = call_name(node, bytes);
if matches!(
name.rsplit('.').next(),
Some("from_fn" | "from_fn_with_state" | "wrap_fn" | "fn_guard")
) && let Some(arguments) = node.child_by_field_name("arguments")
{
for arg in named_children(arguments) {
let inner = call_site_from_node(arg, bytes);
if !inner.name.is_empty() {
calls.push(inner);
}
}
}
}
dedup_call_sites(&mut calls);
calls
}
pub(crate) fn dedup_call_sites(calls: &mut Vec<CallSite>) {
let mut deduped = Vec::new();
for call in calls.drain(..) {
if !deduped.iter().any(|existing: &CallSite| {
existing.name == call.name && existing.span == call.span && existing.args == call.args
}) {
deduped.push(call);
}
}
*calls = deduped;
}
pub(crate) fn apply_aliases(
unit: &mut crate::auth_analysis::model::AnalysisUnit,
aliases: &HashMap<String, ValueSourceKind>,
) {
for value in &mut unit.value_refs {
apply_alias_to_value(value, aliases);
}
for check in &mut unit.auth_checks {
for subject in &mut check.subjects {
apply_alias_to_value(subject, aliases);
}
}
for op in &mut unit.operations {
for subject in &mut op.subjects {
apply_alias_to_value(subject, aliases);
}
}
unit.context_inputs = unit
.value_refs
.iter()
.filter(|value| {
matches!(
value.source_kind,
ValueSourceKind::RequestParam
| ValueSourceKind::RequestBody
| ValueSourceKind::RequestQuery
| ValueSourceKind::Session
)
})
.cloned()
.collect();
}
fn apply_alias_to_value(value: &mut ValueRef, aliases: &HashMap<String, ValueSourceKind>) {
let root = value
.base
.as_deref()
.and_then(first_identifier)
.or_else(|| first_identifier(&value.name));
let Some(root) = root else {
return;
};
let Some(kind) = aliases.get(root) else {
return;
};
if value.source_kind == ValueSourceKind::ArrayIndex && *kind != ValueSourceKind::Session {
return;
}
value.source_kind = *kind;
}
fn first_identifier(input: &str) -> Option<&str> {
let mut end = input.len();
for (idx, ch) in input.char_indices() {
if !(ch.is_ascii_alphanumeric() || ch == '_') {
end = idx;
break;
}
}
if end == 0 { None } else { Some(&input[..end]) }
}
pub(crate) fn inject_guard_checks(
unit: &mut crate::auth_analysis::model::AnalysisUnit,
guard_calls: &[CallSite],
rules: &AuthAnalysisRules,
) {
let line = unit.line;
for call in guard_calls {
let kind = if rules.is_admin_guard(&call.name, &call.args) {
AuthCheckKind::AdminGuard
} else if rules.is_login_guard(&call.name) {
AuthCheckKind::LoginGuard
} else {
continue;
};
unit.auth_checks.push(AuthCheck {
kind,
callee: call.name.clone(),
subjects: Vec::new(),
span: call.span,
line,
args: call.args.clone(),
condition_text: None,
});
}
}

2480
src/auth_analysis/extract/common.rs Normal file
View file

File diff suppressed because it is too large Load diff

449
src/auth_analysis/extract/django.rs Normal file
View file

@ -0,0 +1,449 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, call_site_from_node,
decorated_definition_child, member_chain, named_children, push_route_registration, span,
string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name};
use crate::auth_analysis::extract::common::{attach_route_handler, collect_top_level_units};
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct DjangoExtractor;
impl AuthExtractor for DjangoExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "python"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Django))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call" {
maybe_collect_django_path(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_django_path(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let callee = text(function, bytes);
let target = callee.rsplit('.').next().unwrap_or(&callee);
if !matches!(target, "path" | "re_path") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(route_path) = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
else {
return;
};
let Some(handler_expr) = args.get(1).copied() else {
return;
};
if let Some(class_name) = as_view_class_name(handler_expr, bytes) {
collect_class_based_routes(root, &class_name, &route_path, bytes, path, rules, model);
return;
}
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("All {}", route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = function_view_middleware(root, handler_expr, bytes);
inject_middleware_auth(
model,
handler.unit_idx,
handler.line,
&middleware_calls,
rules,
);
for method in function_view_methods(root, handler_expr, bytes) {
push_route_registration(
model,
Framework::Django,
method,
route_path.clone(),
path,
super::common::ResolvedHandler {
unit_idx: handler.unit_idx,
span: handler.span,
params: handler.params.clone(),
line: handler.line,
},
middleware_calls.clone(),
);
}
}
fn function_view_middleware(root: Node<'_>, handler_expr: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let Some(handler_node) = resolve_function_node(root, handler_expr, bytes) else {
return Vec::new();
};
if handler_node.kind() != "decorated_definition" {
return Vec::new();
}
decorator_expressions(handler_node)
.into_iter()
.filter(|decorator| http_methods_from_decorator(*decorator, bytes).is_none())
.flat_map(|decorator| expand_decorator_calls(decorator, bytes))
.collect()
}
fn function_view_methods(root: Node<'_>, handler_expr: Node<'_>, bytes: &[u8]) -> Vec<HttpMethod> {
let Some(handler_node) = resolve_function_node(root, handler_expr, bytes) else {
return vec![HttpMethod::All];
};
if handler_node.kind() != "decorated_definition" {
return vec![HttpMethod::All];
}
let mut methods = Vec::new();
for decorator in decorator_expressions(handler_node) {
if let Some(found) = http_methods_from_decorator(decorator, bytes) {
methods.extend(found);
}
}
if methods.is_empty() {
vec![HttpMethod::All]
} else {
methods
}
}
fn collect_class_based_routes(
root: Node<'_>,
class_name: &str,
route_path: &str,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(class_node) = find_top_level_class_node(root, class_name, bytes) else {
return;
};
let Some(class_definition) = class_definition_node(class_node) else {
return;
};
let class_middleware = class_middleware_calls(class_node, class_definition, bytes);
let Some(body) = class_definition.child_by_field_name("body") else {
return;
};
for child in named_children(body) {
let method_node =
if child.kind() == "function_definition" || child.kind() == "decorated_definition" {
Some(child)
} else {
None
};
let Some(method_node) = method_node else {
continue;
};
let method_name = function_name(method_node, bytes).unwrap_or_default();
let Some(http_method) = method_name_to_http_method(&method_name) else {
continue;
};
let route_name = format!("{class_name}.{method_name}");
let unit_idx = model.units.len();
let mut unit = build_function_unit(
method_node,
AnalysisUnitKind::RouteHandler,
Some(route_name.clone()),
bytes,
rules,
);
let mut middleware_calls = class_middleware.clone();
if method_node.kind() == "decorated_definition" {
for decorator in decorator_expressions(method_node) {
if http_methods_from_decorator(decorator, bytes).is_none() {
middleware_calls.extend(expand_decorator_calls(decorator, bytes));
}
}
}
let line = method_node.start_position().row + 1;
for call in &middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
let handler_span = span(method_node);
let handler_params = unit.params.clone();
model.units.push(unit);
push_route_registration(
model,
Framework::Django,
http_method,
route_path.to_string(),
path,
super::common::ResolvedHandler {
unit_idx,
span: handler_span,
params: handler_params,
line,
},
middleware_calls,
);
}
}
fn class_middleware_calls(
class_node: Node<'_>,
class_definition: Node<'_>,
bytes: &[u8],
) -> Vec<CallSite> {
let mut calls = Vec::new();
if class_node.kind() == "decorated_definition" {
for decorator in decorator_expressions(class_node) {
calls.extend(expand_decorator_calls(decorator, bytes));
}
}
if let Some(superclasses) = class_definition.child_by_field_name("superclasses") {
for superclass in named_children(superclasses) {
calls.push(call_site_from_node(superclass, bytes));
}
}
calls
}
fn resolve_function_node<'tree>(
root: Node<'tree>,
handler_expr: Node<'tree>,
bytes: &[u8],
) -> Option<Node<'tree>> {
if matches!(handler_expr.kind(), "identifier" | "attribute") {
let candidate = text(handler_expr, bytes);
let name = candidate.rsplit('.').next().unwrap_or(&candidate);
find_top_level_function_node(root, name, bytes)
} else if handler_expr.kind() == "decorated_definition"
|| handler_expr.kind() == "function_definition"
{
Some(handler_expr)
} else {
None
}
}
fn find_top_level_function_node<'tree>(
root: Node<'tree>,
name: &str,
bytes: &[u8],
) -> Option<Node<'tree>> {
for child in named_children(root) {
match child.kind() {
"function_definition" if function_name(child, bytes).as_deref() == Some(name) => {
return Some(child);
}
"decorated_definition" => {
if let Some(definition) = decorated_definition_child(child)
&& definition.kind() == "function_definition"
&& function_name(child, bytes).as_deref() == Some(name)
{
return Some(child);
}
}
_ => {}
}
}
None
}
fn find_top_level_class_node<'tree>(
root: Node<'tree>,
name: &str,
bytes: &[u8],
) -> Option<Node<'tree>> {
for child in named_children(root) {
match child.kind() {
"class_definition" if class_name(child, bytes).as_deref() == Some(name) => {
return Some(child);
}
"decorated_definition" => {
if let Some(definition) = decorated_definition_child(child)
&& definition.kind() == "class_definition"
&& class_name(child, bytes).as_deref() == Some(name)
{
return Some(child);
}
}
_ => {}
}
}
None
}
fn class_definition_node(node: Node<'_>) -> Option<Node<'_>> {
if node.kind() == "class_definition" {
Some(node)
} else {
decorated_definition_child(node).filter(|child| child.kind() == "class_definition")
}
}
fn class_name(node: Node<'_>, bytes: &[u8]) -> Option<String> {
class_definition_node(node)?
.child_by_field_name("name")
.map(|name| text(name, bytes))
}
fn function_name(node: Node<'_>, bytes: &[u8]) -> Option<String> {
let definition = if node.kind() == "decorated_definition" {
decorated_definition_child(node)?
} else {
node
};
definition
.child_by_field_name("name")
.map(|name| text(name, bytes))
}
fn as_view_class_name(handler_expr: Node<'_>, bytes: &[u8]) -> Option<String> {
if handler_expr.kind() != "call" {
return None;
}
let function = handler_expr.child_by_field_name("function")?;
let chain = member_chain(function, bytes);
if chain.len() >= 2 && chain.last().is_some_and(|segment| segment == "as_view") {
return Some(chain[chain.len() - 2].clone());
}
None
}
fn method_name_to_http_method(name: &str) -> Option<HttpMethod> {
match name.to_ascii_lowercase().as_str() {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
"dispatch" => Some(HttpMethod::All),
_ => None,
}
}
fn http_methods_from_decorator(node: Node<'_>, bytes: &[u8]) -> Option<Vec<HttpMethod>> {
if node.kind() == "call" {
let name = text(node.child_by_field_name("function")?, bytes);
if matches_name(&name, "require_http_methods") {
let arguments = node.child_by_field_name("arguments")?;
let first = named_children(arguments).first().copied()?;
let mut methods = Vec::new();
for child in named_children(first) {
if let Some(method) = string_literal_value(child, bytes)
.as_deref()
.and_then(http_method)
{
methods.push(method);
}
}
return Some(methods);
}
}
let call = call_site_from_node(node, bytes);
match call.name.rsplit('.').next().unwrap_or(&call.name) {
"require_GET" => Some(vec![HttpMethod::Get]),
"require_POST" => Some(vec![HttpMethod::Post]),
"require_PUT" => Some(vec![HttpMethod::Put]),
"require_DELETE" => Some(vec![HttpMethod::Delete]),
"require_PATCH" => Some(vec![HttpMethod::Patch]),
_ => None,
}
}
fn http_method(value: &str) -> Option<HttpMethod> {
match value.to_ascii_lowercase().as_str() {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
_ => None,
}
}
fn decorator_expressions(node: Node<'_>) -> Vec<Node<'_>> {
named_children(node)
.into_iter()
.filter(|child| child.kind() == "decorator")
.filter_map(|decorator| named_children(decorator).into_iter().next())
.collect()
}
fn expand_decorator_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
if node.kind() == "call" {
let call = call_site_from_node(node, bytes);
if matches_name(&call.name, "method_decorator")
&& let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(first) = named_children(arguments).first().copied()
{
return vec![call_site_from_node(first, bytes)];
}
return vec![call];
}
vec![call_site_from_node(node, bytes)]
}
fn inject_middleware_auth(
model: &mut AuthorizationModel,
unit_idx: usize,
line: usize,
middleware_calls: &[CallSite],
rules: &AuthAnalysisRules,
) {
let Some(unit) = model.units.get_mut(unit_idx) else {
return;
};
for call in middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
}

209
src/auth_analysis/extract/echo.rs Normal file
View file

@ -0,0 +1,209 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, join_route_paths, member_target, named_children, push_route_registration,
string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct EchoExtractor;
impl AuthExtractor for EchoExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "go"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Echo))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
let mut groups = HashMap::new();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| match node.kind() {
"short_var_declaration" | "assignment_statement" => {
maybe_collect_group_binding(node, bytes, &mut groups)
}
"call_expression" => {
maybe_collect_group_use(node, bytes, &mut groups);
maybe_collect_route(root, node, bytes, path, rules, &groups, &mut model);
}
_ => {}
});
model
}
}
#[derive(Clone, Default)]
struct GroupSpec {
path_prefix: String,
middleware_calls: Vec<CallSite>,
}
fn maybe_collect_group_binding(
node: Node<'_>,
bytes: &[u8],
groups: &mut HashMap<String, GroupSpec>,
) {
let Some(left) = node.child_by_field_name("left") else {
return;
};
let Some(right) = node.child_by_field_name("right") else {
return;
};
let Some(group_call) = named_children(right)
.into_iter()
.find(|child| child.kind() == "call_expression" && is_group_call(*child, bytes))
else {
return;
};
let Some(group_name) = named_children(left)
.into_iter()
.find(|child| child.kind() == "identifier")
.map(|child| text(child, bytes))
else {
return;
};
let Some((base_name, path_prefix, middleware_calls)) = parse_group_call(group_call, bytes)
else {
return;
};
let base = groups.get(&base_name).cloned().unwrap_or_default();
let mut combined = base.middleware_calls;
combined.extend(middleware_calls);
groups.insert(
group_name,
GroupSpec {
path_prefix: join_route_paths(&base.path_prefix, &path_prefix),
middleware_calls: combined,
},
);
}
fn maybe_collect_group_use(node: Node<'_>, bytes: &[u8], groups: &mut HashMap<String, GroupSpec>) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
if method_name != "Use" {
return;
}
let Some(group) = groups.get_mut(&object_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
for arg in named_children(arguments) {
group.middleware_calls.push(call_site_from_node(arg, bytes));
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
groups: &HashMap<String, GroupSpec>,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some(handler_expr) = args
.get(1)
.copied()
.filter(|arg| is_handler_reference(*arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = groups
.get(&object_name)
.map(|group| group.middleware_calls.clone())
.unwrap_or_default();
for middleware in args.iter().skip(2) {
middleware_calls.push(call_site_from_node(*middleware, bytes));
}
let path_prefix = groups
.get(&object_name)
.map(|group| group.path_prefix.as_str())
.unwrap_or("");
push_route_registration(
model,
Framework::Echo,
method,
join_route_paths(path_prefix, &route_path),
path,
handler,
middleware_calls,
);
}
fn is_group_call(node: Node<'_>, bytes: &[u8]) -> bool {
node.child_by_field_name("function")
.and_then(|function| member_target(function, bytes))
.is_some_and(|(_, method_name)| method_name == "Group")
}
fn parse_group_call(node: Node<'_>, bytes: &[u8]) -> Option<(String, String, Vec<CallSite>)> {
let function = node.child_by_field_name("function")?;
let (base_name, method_name) = member_target(function, bytes)?;
if method_name != "Group" {
return None;
}
let arguments = node.child_by_field_name("arguments")?;
let args = named_children(arguments);
let path = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
.unwrap_or_default();
let middleware_calls = args[1..]
.iter()
.map(|arg| call_site_from_node(*arg, bytes))
.collect();
Some((base_name, path, middleware_calls))
}

109
src/auth_analysis/extract/express.rs Normal file
View file

@ -0,0 +1,109 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, member_target, named_children, push_route_registration,
string_literal_value, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct ExpressExtractor;
impl AuthExtractor for ExpressExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
matches!(lang, "javascript" | "typescript")
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Express))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
if !matches!(object_name.as_str(), "router" | "app") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let named_args = named_children(arguments);
let Some(path_node) = named_args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some((handler_idx, handler_expr)) = named_args
.iter()
.enumerate()
.rev()
.find(|(_, arg)| is_handler_reference(**arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
*handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = named_args[1..handler_idx]
.iter()
.map(|middleware| call_site_from_node(*middleware, bytes))
.collect();
push_route_registration(
model,
Framework::Express,
method,
route_path,
path,
handler,
middleware_calls,
);
}

191
src/auth_analysis/extract/fastify.rs Normal file
View file

@ -0,0 +1,191 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_sites_from_value, collect_top_level_units, http_method_from_name,
is_handler_reference, member_target, named_children, object_property_value,
push_route_registration, string_literal_value, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct FastifyExtractor;
impl AuthExtractor for FastifyExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
matches!(lang, "javascript" | "typescript")
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Fastify))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call_expression" {
maybe_collect_shorthand_route(root, node, bytes, path, rules, &mut model);
maybe_collect_route_object(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_shorthand_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
if !matches!(object_name.as_str(), "fastify" | "app" | "server") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let options = args.get(1).copied().filter(|node| node.kind() == "object");
let handler_expr = args
.last()
.copied()
.filter(|node| is_handler_reference(*node))
.or_else(|| options.and_then(|opts| object_property_value(opts, bytes, &["handler"])));
let Some(handler_expr) = handler_expr else {
return;
};
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = options
.map(|opts| collect_fastify_hooks(opts, bytes))
.unwrap_or_default();
push_route_registration(
model,
Framework::Fastify,
method,
route_path,
path,
handler,
middleware_calls,
);
}
fn maybe_collect_route_object(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
if !is_fastify_route_call(function, bytes) {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let Some(route_object) = named_children(arguments).first().copied() else {
return;
};
if route_object.kind() != "object" {
return;
}
let Some(method_text) = object_property_value(route_object, bytes, &["method"])
.and_then(|value| string_literal_value(value, bytes))
else {
return;
};
let Some(method) = http_method_from_name(&method_text) else {
return;
};
let Some(route_path) = object_property_value(route_object, bytes, &["url", "path"])
.and_then(|value| string_literal_value(value, bytes))
else {
return;
};
let Some(handler_expr) = object_property_value(route_object, bytes, &["handler"]) else {
return;
};
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = collect_fastify_hooks(route_object, bytes);
push_route_registration(
model,
Framework::Fastify,
method,
route_path,
path,
handler,
middleware_calls,
);
}
fn collect_fastify_hooks(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let mut hooks = Vec::new();
for field in ["preHandler", "preValidation", "onRequest"] {
if let Some(value) = object_property_value(node, bytes, &[field]) {
hooks.extend(call_sites_from_value(value, bytes));
}
}
hooks
}
fn is_fastify_route_call(node: Node<'_>, bytes: &[u8]) -> bool {
member_target(node, bytes).is_some_and(|(object_name, property)| {
matches!(object_name.as_str(), "fastify" | "app" | "server") && property == "route"
})
}

237
src/auth_analysis/extract/flask.rs Normal file
View file

@ -0,0 +1,237 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, auth_check_from_call_site, call_site_from_node, named_children,
push_route_registration, string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name};
use crate::auth_analysis::extract::common::{collect_top_level_units, decorated_definition_child};
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework, HttpMethod};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct FlaskExtractor;
impl AuthExtractor for FlaskExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "python"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Flask))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "decorated_definition" {
maybe_collect_flask_route(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
#[derive(Clone)]
struct FlaskRouteSpec {
method: HttpMethod,
path: String,
}
fn maybe_collect_flask_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(definition) = decorated_definition_child(node) else {
return;
};
if definition.kind() != "function_definition" {
return;
}
let mut route_specs = Vec::new();
let mut middleware_calls = Vec::new();
for decorator in decorator_expressions(node) {
if let Some(mut specs) = parse_flask_route_decorator(decorator, bytes) {
route_specs.append(&mut specs);
} else {
middleware_calls.extend(expand_decorator_calls(decorator, bytes));
}
}
if route_specs.is_empty() {
return;
}
for spec in route_specs {
let Some(handler) = attach_route_handler(
root,
node,
format!("{:?} {}", spec.method, spec.path),
bytes,
rules,
model,
) else {
continue;
};
inject_middleware_auth(
model,
handler.unit_idx,
handler.line,
&middleware_calls,
rules,
);
push_route_registration(
model,
Framework::Flask,
spec.method,
spec.path,
path,
handler,
middleware_calls.clone(),
);
}
}
fn parse_flask_route_decorator(
decorator_expr: Node<'_>,
bytes: &[u8],
) -> Option<Vec<FlaskRouteSpec>> {
let function = if decorator_expr.kind() == "call" {
decorator_expr.child_by_field_name("function")?
} else {
return None;
};
let callee = text(function, bytes);
let method_name = callee.rsplit('.').next().unwrap_or(&callee);
let arguments = decorator_expr.child_by_field_name("arguments")?;
let args = named_children(arguments);
let route_path = args
.iter()
.find_map(|arg| string_literal_value(*arg, bytes))
.or_else(|| keyword_argument_string(arguments, bytes, "rule"))?;
let methods = match method_name.to_ascii_lowercase().as_str() {
"get" => vec![HttpMethod::Get],
"post" => vec![HttpMethod::Post],
"put" => vec![HttpMethod::Put],
"delete" => vec![HttpMethod::Delete],
"patch" => vec![HttpMethod::Patch],
"route" => parse_methods_keyword(arguments, bytes).unwrap_or_else(|| vec![HttpMethod::Get]),
_ => return None,
};
Some(
methods
.into_iter()
.map(|method| FlaskRouteSpec {
method,
path: route_path.clone(),
})
.collect(),
)
}
fn parse_methods_keyword(arguments: Node<'_>, bytes: &[u8]) -> Option<Vec<HttpMethod>> {
let value = keyword_argument_value(arguments, bytes, "methods")?;
let mut methods = Vec::new();
for child in named_children(value) {
if let Some(method) = string_literal_value(child, bytes).and_then(|text| http_method(&text))
{
methods.push(method);
}
}
if methods.is_empty() {
None
} else {
Some(methods)
}
}
fn keyword_argument_string(arguments: Node<'_>, bytes: &[u8], name: &str) -> Option<String> {
let value = keyword_argument_value(arguments, bytes, name)?;
string_literal_value(value, bytes)
}
fn keyword_argument_value<'tree>(
arguments: Node<'tree>,
bytes: &[u8],
name: &str,
) -> Option<Node<'tree>> {
for arg in named_children(arguments) {
if arg.kind() != "keyword_argument" {
continue;
}
let key = arg.child_by_field_name("name")?;
if text(key, bytes) == name {
return arg.child_by_field_name("value");
}
}
None
}
fn http_method(value: &str) -> Option<HttpMethod> {
match value.to_ascii_lowercase().as_str() {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
_ => None,
}
}
fn decorator_expressions(node: Node<'_>) -> Vec<Node<'_>> {
named_children(node)
.into_iter()
.filter(|child| child.kind() == "decorator")
.filter_map(|decorator| named_children(decorator).into_iter().next())
.collect()
}
fn expand_decorator_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
if node.kind() == "call" {
let call = call_site_from_node(node, bytes);
if matches_name(&call.name, "method_decorator")
&& let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(first) = named_children(arguments).first().copied()
{
return vec![call_site_from_node(first, bytes)];
}
return vec![call];
}
vec![call_site_from_node(node, bytes)]
}
fn inject_middleware_auth(
model: &mut AuthorizationModel,
unit_idx: usize,
line: usize,
middleware_calls: &[CallSite],
rules: &AuthAnalysisRules,
) {
let Some(unit) = model.units.get_mut(unit_idx) else {
return;
};
for call in middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
}

211
src/auth_analysis/extract/gin.rs Normal file
View file

@ -0,0 +1,211 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, join_route_paths, member_target, named_children, push_route_registration,
string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct GinExtractor;
impl AuthExtractor for GinExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "go"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Gin))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
let mut groups = HashMap::new();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| match node.kind() {
"short_var_declaration" | "assignment_statement" => {
maybe_collect_group_binding(node, bytes, &mut groups)
}
"call_expression" => {
maybe_collect_group_use(node, bytes, &mut groups);
maybe_collect_route(root, node, bytes, path, rules, &groups, &mut model);
}
_ => {}
});
model
}
}
#[derive(Clone, Default)]
struct GroupSpec {
path_prefix: String,
middleware_calls: Vec<CallSite>,
}
fn maybe_collect_group_binding(
node: Node<'_>,
bytes: &[u8],
groups: &mut HashMap<String, GroupSpec>,
) {
let Some(left) = node.child_by_field_name("left") else {
return;
};
let Some(right) = node.child_by_field_name("right") else {
return;
};
let Some(group_call) = named_children(right)
.into_iter()
.find(|child| child.kind() == "call_expression" && is_group_call(*child, bytes))
else {
return;
};
let Some(group_name) = named_children(left)
.into_iter()
.find(|child| child.kind() == "identifier")
.map(|child| text(child, bytes))
else {
return;
};
let Some((base_name, path_prefix, middleware_calls)) = parse_group_call(group_call, bytes)
else {
return;
};
let base = groups.get(&base_name).cloned().unwrap_or_default();
let mut combined = base.middleware_calls;
combined.extend(middleware_calls);
groups.insert(
group_name,
GroupSpec {
path_prefix: join_route_paths(&base.path_prefix, &path_prefix),
middleware_calls: combined,
},
);
}
fn maybe_collect_group_use(node: Node<'_>, bytes: &[u8], groups: &mut HashMap<String, GroupSpec>) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
if method_name != "Use" {
return;
}
let Some(group) = groups.get_mut(&object_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
for arg in named_children(arguments) {
group.middleware_calls.push(call_site_from_node(arg, bytes));
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
groups: &HashMap<String, GroupSpec>,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some((handler_idx, handler_expr)) = args
.iter()
.enumerate()
.rev()
.find(|(_, arg)| is_handler_reference(**arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
*handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = groups
.get(&object_name)
.map(|group| group.middleware_calls.clone())
.unwrap_or_default();
for middleware in &args[1..handler_idx] {
middleware_calls.push(call_site_from_node(*middleware, bytes));
}
let path_prefix = groups
.get(&object_name)
.map(|group| group.path_prefix.as_str())
.unwrap_or("");
push_route_registration(
model,
Framework::Gin,
method,
join_route_paths(path_prefix, &route_path),
path,
handler,
middleware_calls,
);
}
fn is_group_call(node: Node<'_>, bytes: &[u8]) -> bool {
node.child_by_field_name("function")
.and_then(|function| member_target(function, bytes))
.is_some_and(|(_, method_name)| method_name == "Group")
}
fn parse_group_call(node: Node<'_>, bytes: &[u8]) -> Option<(String, String, Vec<CallSite>)> {
let function = node.child_by_field_name("function")?;
let (base_name, method_name) = member_target(function, bytes)?;
if method_name != "Group" {
return None;
}
let arguments = node.child_by_field_name("arguments")?;
let args = named_children(arguments);
let path = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
.unwrap_or_default();
let middleware_calls = args[1..]
.iter()
.map(|arg| call_site_from_node(*arg, bytes))
.collect();
Some((base_name, path, middleware_calls))
}

109
src/auth_analysis/extract/koa.rs Normal file
View file

@ -0,0 +1,109 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, member_target, named_children, push_route_registration,
string_literal_value, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct KoaExtractor;
impl AuthExtractor for KoaExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
matches!(lang, "javascript" | "typescript")
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Koa))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
if !matches!(object_name.as_str(), "koaRouter" | "router" | "app" | "koa") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let named_args = named_children(arguments);
let Some(path_node) = named_args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some((handler_idx, handler_expr)) = named_args
.iter()
.enumerate()
.rev()
.find(|(_, arg)| is_handler_reference(**arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
*handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = named_args[1..handler_idx]
.iter()
.map(|middleware| call_site_from_node(*middleware, bytes))
.collect::<Vec<_>>();
push_route_registration(
model,
Framework::Koa,
method,
route_path,
path,
handler,
middleware_calls,
);
}

65
src/auth_analysis/extract/mod.rs Normal file
View file

@ -0,0 +1,65 @@
use super::config::AuthAnalysisRules;
use super::model::AuthorizationModel;
use crate::utils::project::FrameworkContext;
use std::path::Path;
use tree_sitter::Tree;
pub mod actix_web;
pub mod axum;
pub mod common;
pub mod django;
pub mod echo;
pub mod express;
pub mod fastify;
pub mod flask;
pub mod gin;
pub mod koa;
pub mod rails;
pub mod rocket;
pub mod sinatra;
pub mod spring;
pub trait AuthExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool;
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel;
}
pub fn extract_authorization_model(
lang: &str,
framework_ctx: Option<&FrameworkContext>,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let extractors: [&dyn AuthExtractor; 13] = [
&express::ExpressExtractor,
&koa::KoaExtractor,
&fastify::FastifyExtractor,
&gin::GinExtractor,
&echo::EchoExtractor,
&flask::FlaskExtractor,
&django::DjangoExtractor,
&spring::SpringExtractor,
&rails::RailsExtractor,
&sinatra::SinatraExtractor,
&axum::AxumExtractor,
&actix_web::ActixWebExtractor,
&rocket::RocketExtractor,
];
let mut model = AuthorizationModel::default();
for extractor in extractors {
if extractor.supports(lang, framework_ctx) {
model.extend(extractor.extract(tree, bytes, path, rules));
}
}
model
}

335
src/auth_analysis/extract/rails.rs Normal file
View file

@ -0,0 +1,335 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, call_name, call_site_from_node, function_name,
named_children, span, text,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name, strip_quotes};
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod, RouteRegistration,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct RailsExtractor;
impl AuthExtractor for RailsExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "ruby"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Rails))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_nodes(root, &[], bytes, path, rules, &mut model);
model
}
}
#[derive(Clone)]
struct FilterDirective {
call: CallSite,
only: Vec<String>,
except: Vec<String>,
skip: bool,
}
fn collect_nodes(
node: Node<'_>,
namespace: &[String],
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
match node.kind() {
"module" => {
let mut next_namespace = namespace.to_vec();
if let Some(name) = ruby_constant_segments(node.child_by_field_name("name"), bytes) {
next_namespace.extend(name);
}
if let Some(body) = node.child_by_field_name("body") {
collect_nodes(body, &next_namespace, bytes, path, rules, model);
}
}
"class" => {
maybe_collect_controller(node, namespace, bytes, path, rules, model);
}
_ => {
for child in named_children(node) {
collect_nodes(child, namespace, bytes, path, rules, model);
}
}
}
}
fn maybe_collect_controller(
class_node: Node<'_>,
namespace: &[String],
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(name_segments) = ruby_constant_segments(class_node.child_by_field_name("name"), bytes)
else {
return;
};
let Some(class_name) = name_segments.last() else {
return;
};
if !class_name.ends_with("Controller") {
return;
}
let Some(body) = class_node.child_by_field_name("body") else {
return;
};
let mut controller_namespace = namespace.to_vec();
controller_namespace.extend(
name_segments[..name_segments.len().saturating_sub(1)]
.iter()
.cloned(),
);
let controller_segment = underscore_segment(class_name.trim_end_matches("Controller"));
let filter_directives = class_filter_directives(body, bytes);
let controller_name = format!(
"{}{}",
if controller_namespace.is_empty() {
String::new()
} else {
format!("{}::", controller_namespace.join("::"))
},
class_name
);
for child in named_children(body) {
if child.kind() != "method" {
continue;
}
let Some(action_name) = function_name(child, bytes) else {
continue;
};
if action_name.is_empty() || action_name.ends_with('=') {
continue;
}
let unit_idx = model.units.len();
let route_name = format!("{controller_name}#{action_name}");
let mut unit = build_function_unit(
child,
AnalysisUnitKind::RouteHandler,
Some(route_name.clone()),
bytes,
rules,
);
let handler_span = span(child);
let handler_params = unit.params.clone();
let line = child.start_position().row + 1;
let middleware_calls = applicable_filters(&filter_directives, &action_name);
for call in &middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
model.units.push(unit);
let mut route_segments = controller_namespace
.iter()
.map(|segment| underscore_segment(segment))
.collect::<Vec<_>>();
route_segments.push(controller_segment.clone());
route_segments.push(underscore_segment(&action_name));
let route_path = format!("/{}", route_segments.join("/"));
model.routes.push(RouteRegistration {
framework: Framework::Rails,
method: infer_action_method(&action_name),
path: route_path,
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span,
handler_params,
file: path.to_path_buf(),
line,
unit_idx,
middleware_calls,
});
}
}
fn class_filter_directives(body: Node<'_>, bytes: &[u8]) -> Vec<FilterDirective> {
let mut filters = Vec::new();
for child in named_children(body) {
if child.kind() != "call" {
continue;
}
let callee = call_name(child, bytes);
let directive_name = callee.rsplit('.').next().unwrap_or(&callee);
if !matches_name(directive_name, "before_action")
&& !matches_name(directive_name, "prepend_before_action")
&& !matches_name(directive_name, "skip_before_action")
{
continue;
}
filters.extend(parse_filter_directive(
child,
bytes,
matches_name(directive_name, "skip_before_action"),
));
}
filters
}
fn parse_filter_directive(node: Node<'_>, bytes: &[u8], skip: bool) -> Vec<FilterDirective> {
let Some(arguments) = node.child_by_field_name("arguments") else {
return Vec::new();
};
let args = named_children(arguments);
if args.is_empty() {
return Vec::new();
}
let mut filters = Vec::new();
let mut only = Vec::new();
let mut except = Vec::new();
for arg in &args {
if arg.kind() == "pair" {
let key = text(arg.child_by_field_name("key").unwrap_or(*arg), bytes);
let normalized = strip_quotes(&key).trim_start_matches(':').to_string();
let value = arg.child_by_field_name("value").unwrap_or(*arg);
if normalized == "only" {
only = symbol_list(value, bytes);
} else if normalized == "except" {
except = symbol_list(value, bytes);
}
continue;
}
filters.extend(filter_calls_from_arg(*arg, bytes));
}
filters
.into_iter()
.map(|call| FilterDirective {
call,
only: only.clone(),
except: except.clone(),
skip,
})
.collect()
}
fn filter_calls_from_arg(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
match node.kind() {
"simple_symbol" | "hash_key_symbol" | "identifier" => vec![CallSite {
name: strip_quotes(&text(node, bytes))
.trim_start_matches(':')
.to_string(),
args: Vec::new(),
span: span(node),
args_value_refs: Vec::new(),
}],
"array" => named_children(node)
.into_iter()
.flat_map(|child| filter_calls_from_arg(child, bytes))
.collect(),
_ => {
let call = call_site_from_node(node, bytes);
if call.name.is_empty() {
Vec::new()
} else {
vec![call]
}
}
}
}
fn applicable_filters(filters: &[FilterDirective], action: &str) -> Vec<CallSite> {
let mut middleware = Vec::new();
for filter in filters {
if !filter_applies(filter, action) {
continue;
}
if filter.skip {
middleware.retain(|existing: &CallSite| existing.name != filter.call.name);
} else if !middleware
.iter()
.any(|existing: &CallSite| existing.name == filter.call.name)
{
middleware.push(filter.call.clone());
}
}
middleware
}
fn filter_applies(filter: &FilterDirective, action: &str) -> bool {
(filter.only.is_empty() || filter.only.iter().any(|name| name == action))
&& !filter.except.iter().any(|name| name == action)
}
fn symbol_list(node: Node<'_>, bytes: &[u8]) -> Vec<String> {
match node.kind() {
"simple_symbol" | "hash_key_symbol" | "identifier" | "string" => vec![
strip_quotes(&text(node, bytes))
.trim_start_matches(':')
.to_string(),
],
"array" => named_children(node)
.into_iter()
.flat_map(|child| symbol_list(child, bytes))
.collect(),
_ => Vec::new(),
}
}
fn ruby_constant_segments(node: Option<Node<'_>>, bytes: &[u8]) -> Option<Vec<String>> {
let node = node?;
let value = text(node, bytes);
if value.is_empty() {
return None;
}
Some(
value
.split("::")
.map(|segment| segment.trim().to_string())
.filter(|segment| !segment.is_empty())
.collect(),
)
}
fn infer_action_method(action: &str) -> HttpMethod {
match action {
"index" | "show" | "new" | "edit" => HttpMethod::Get,
"create" => HttpMethod::Post,
"update" => HttpMethod::Patch,
"destroy" => HttpMethod::Delete,
_ => HttpMethod::All,
}
}
fn underscore_segment(value: &str) -> String {
let mut out = String::new();
for (idx, ch) in value.chars().enumerate() {
if ch.is_ascii_uppercase() {
if idx > 0 && !out.ends_with('_') {
out.push('_');
}
out.push(ch.to_ascii_lowercase());
} else if ch.is_ascii_alphanumeric() {
out.push(ch.to_ascii_lowercase());
} else if !out.ends_with('_') {
out.push('_');
}
}
out.trim_matches('_').to_string()
}

145
src/auth_analysis/extract/rocket.rs Normal file
View file

@ -0,0 +1,145 @@
use super::AuthExtractor;
use super::axum::{
GuardFramework, apply_aliases, dedup_call_sites, guard_calls_for_handler, inject_guard_checks,
rust_param_aliases,
};
use super::common::{
attach_route_handler, collect_top_level_units, function_definition_node, function_name,
named_children, text,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, Framework, HttpMethod, RouteRegistration};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct RocketExtractor;
impl AuthExtractor for RocketExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "rust"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Rocket))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
collect_handlers(root, root, bytes, path, rules, &mut model);
model
}
}
fn collect_handlers(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "function_item" {
maybe_collect_route(root, node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_handlers(root, child, bytes, path, rules, model);
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let route_attrs = route_attributes(node, bytes);
if route_attrs.is_empty() {
return;
}
for (method, route_path) in route_attrs {
let Some(handler) = attach_route_handler(
root,
node,
format!(
"{:?} {}",
method,
function_name(function_definition_node(node), bytes)
.unwrap_or_else(|| "rocket_handler".to_string())
),
bytes,
rules,
model,
) else {
continue;
};
let mut middleware_calls =
guard_calls_for_handler(node, &route_path, bytes, GuardFramework::Rocket);
dedup_call_sites(&mut middleware_calls);
if let Some(unit) = model.units.get_mut(handler.unit_idx) {
let aliases = rust_param_aliases(node, &route_path, bytes, GuardFramework::Rocket);
apply_aliases(unit, &aliases);
inject_guard_checks(unit, &middleware_calls, rules);
}
model.routes.push(RouteRegistration {
framework: Framework::Rocket,
method,
path: route_path,
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span: handler.span,
handler_params: handler.params,
file: path.to_path_buf(),
line: handler.line,
unit_idx: handler.unit_idx,
middleware_calls,
});
}
}
fn route_attributes(node: Node<'_>, bytes: &[u8]) -> Vec<(HttpMethod, String)> {
text(node, bytes)
.lines()
.map(str::trim)
.take_while(|line| line.starts_with("#["))
.filter_map(parse_route_attribute)
.collect()
}
fn parse_route_attribute(line: &str) -> Option<(HttpMethod, String)> {
let method = if line.starts_with("#[get") {
HttpMethod::Get
} else if line.starts_with("#[post") {
HttpMethod::Post
} else if line.starts_with("#[put") {
HttpMethod::Put
} else if line.starts_with("#[delete") {
HttpMethod::Delete
} else if line.starts_with("#[patch") {
HttpMethod::Patch
} else {
return None;
};
let start = line.find('"')?;
let rest = &line[start + 1..];
let end = rest.find('"')?;
Some((method, rest[..end].to_string()))
}

157
src/auth_analysis/extract/sinatra.rs Normal file
View file

@ -0,0 +1,157 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, call_name, call_site_from_node,
collect_top_level_units, named_children, span, string_literal_value,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name};
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod, RouteRegistration,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct SinatraExtractor;
impl AuthExtractor for SinatraExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "ruby"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Sinatra))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
let before_filters = collect_before_filters(root, bytes);
collect_routes(root, bytes, path, rules, &before_filters, &mut model);
model
}
}
fn collect_before_filters(root: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let mut filters = Vec::new();
for child in named_children(root) {
if child.kind() != "call" {
continue;
}
let callee = call_name(child, bytes);
let target = callee.rsplit('.').next().unwrap_or(&callee);
if !matches_name(target, "before") {
continue;
}
if let Some(block) = child_block(child) {
filters.extend(call_sites_in_block(block, bytes));
}
}
filters
}
fn collect_routes(
root: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
before_filters: &[CallSite],
model: &mut AuthorizationModel,
) {
for child in named_children(root) {
if child.kind() != "call" {
continue;
}
maybe_collect_route(child, bytes, path, rules, before_filters, model);
}
}
fn maybe_collect_route(
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
before_filters: &[CallSite],
model: &mut AuthorizationModel,
) {
let callee = call_name(node, bytes);
let route_name = callee.rsplit('.').next().unwrap_or(&callee);
let method = match route_name.to_ascii_lowercase().as_str() {
"get" => HttpMethod::Get,
"post" => HttpMethod::Post,
"put" => HttpMethod::Put,
"delete" => HttpMethod::Delete,
"patch" => HttpMethod::Patch,
_ => return,
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(route_path) = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
else {
return;
};
let Some(block) = child_block(node) else {
return;
};
let unit_idx = model.units.len();
let mut unit = build_function_unit(
block,
AnalysisUnitKind::RouteHandler,
Some(format!("{:?} {}", method, route_path)),
bytes,
rules,
);
let line = block.start_position().row + 1;
for call in before_filters {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
let handler_span = span(block);
let handler_params = unit.params.clone();
model.units.push(unit);
model.routes.push(RouteRegistration {
framework: Framework::Sinatra,
method,
path: route_path,
middleware: before_filters
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span,
handler_params,
file: path.to_path_buf(),
line,
unit_idx,
middleware_calls: before_filters.to_vec(),
});
}
fn child_block(node: Node<'_>) -> Option<Node<'_>> {
named_children(node)
.into_iter()
.find(|child| matches!(child.kind(), "block" | "do_block"))
}
fn call_sites_in_block(block: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let Some(body) = block.child_by_field_name("body") else {
return Vec::new();
};
named_children(body)
.into_iter()
.filter(|child| child.kind() == "call")
.map(|child| call_site_from_node(child, bytes))
.filter(|call| !call.name.is_empty())
.collect()
}

326
src/auth_analysis/extract/spring.rs Normal file
View file

@ -0,0 +1,326 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, function_name, join_route_paths,
named_children, push_route_registration, span, text,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct SpringExtractor;
impl AuthExtractor for SpringExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "java"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Spring))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_classes(root, bytes, path, rules, &mut model);
model
}
}
#[derive(Clone)]
struct SpringRouteSpec {
method: HttpMethod,
path: String,
}
fn collect_classes(
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "class_declaration" {
maybe_collect_controller(node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_classes(child, bytes, path, rules, model);
}
}
fn maybe_collect_controller(
class_node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let class_annotations = annotation_lines(class_node, bytes);
if !class_annotations.iter().any(|annotation| {
annotation.starts_with("@Controller") || annotation.starts_with("@RestController")
}) {
return;
}
let class_name = class_node
.child_by_field_name("name")
.map(|name| text(name, bytes))
.unwrap_or_else(|| "SpringController".to_string());
let class_path = class_request_path(&class_annotations);
let class_security = parse_security_annotations(&class_annotations, span(class_node));
let Some(body) = class_node.child_by_field_name("body") else {
return;
};
for child in named_children(body) {
if child.kind() != "method_declaration" {
continue;
}
let method_annotations = annotation_lines(child, bytes);
let route_specs = parse_route_annotations(&method_annotations);
if route_specs.is_empty() {
continue;
}
let mut middleware_calls = class_security.clone();
middleware_calls.extend(parse_security_annotations(&method_annotations, span(child)));
let route_name = format!(
"{class_name}.{}",
function_name(child, bytes).unwrap_or_else(|| "handler".to_string())
);
let line = child.start_position().row + 1;
for spec in route_specs {
let unit_idx = model.units.len();
let mut unit = build_function_unit(
child,
AnalysisUnitKind::RouteHandler,
Some(route_name.clone()),
bytes,
rules,
);
for call in &middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
let handler_span = span(child);
let handler_params = unit.params.clone();
model.units.push(unit);
push_route_registration(
model,
Framework::Spring,
spec.method,
join_route_paths(&class_path, &spec.path),
path,
super::common::ResolvedHandler {
unit_idx,
span: handler_span,
params: handler_params,
line,
},
middleware_calls.clone(),
);
}
}
}
fn annotation_lines(node: Node<'_>, bytes: &[u8]) -> Vec<String> {
text(node, bytes)
.lines()
.map(str::trim)
.take_while(|line| line.starts_with('@'))
.map(|line| line.to_string())
.collect()
}
fn class_request_path(annotations: &[String]) -> String {
annotations
.iter()
.find(|annotation| annotation.starts_with("@RequestMapping"))
.and_then(|annotation| annotation_path(annotation))
.unwrap_or_default()
}
fn parse_route_annotations(annotations: &[String]) -> Vec<SpringRouteSpec> {
let mut specs = Vec::new();
for annotation in annotations {
let annotation = annotation.as_str();
let method = if annotation.starts_with("@GetMapping") {
Some(vec![HttpMethod::Get])
} else if annotation.starts_with("@PostMapping") {
Some(vec![HttpMethod::Post])
} else if annotation.starts_with("@PutMapping") {
Some(vec![HttpMethod::Put])
} else if annotation.starts_with("@DeleteMapping") {
Some(vec![HttpMethod::Delete])
} else if annotation.starts_with("@PatchMapping") {
Some(vec![HttpMethod::Patch])
} else if annotation.starts_with("@RequestMapping") {
Some(request_mapping_methods(annotation))
} else {
None
};
let Some(methods) = method else {
continue;
};
let path = annotation_path(annotation).unwrap_or_default();
specs.extend(methods.into_iter().map(|method| SpringRouteSpec {
method,
path: path.clone(),
}));
}
specs
}
fn request_mapping_methods(annotation: &str) -> Vec<HttpMethod> {
let mut methods = Vec::new();
for (needle, method) in [
("RequestMethod.GET", HttpMethod::Get),
("RequestMethod.POST", HttpMethod::Post),
("RequestMethod.PUT", HttpMethod::Put),
("RequestMethod.DELETE", HttpMethod::Delete),
("RequestMethod.PATCH", HttpMethod::Patch),
] {
if annotation.contains(needle) {
methods.push(method);
}
}
if methods.is_empty() {
methods.push(HttpMethod::All);
}
methods
}
fn annotation_path(annotation: &str) -> Option<String> {
quoted_strings(annotation).into_iter().next()
}
fn parse_security_annotations(annotations: &[String], span: (usize, usize)) -> Vec<CallSite> {
let mut calls = Vec::new();
for annotation in annotations {
if annotation.starts_with("@RolesAllowed") {
calls.push(CallSite {
name: "RolesAllowed".to_string(),
args: quoted_strings(annotation),
span,
args_value_refs: Vec::new(),
});
} else if annotation.starts_with("@Secured") {
calls.push(CallSite {
name: "Secured".to_string(),
args: quoted_strings(annotation),
span,
args_value_refs: Vec::new(),
});
} else if annotation.starts_with("@PreAuthorize")
|| annotation.starts_with("@PostAuthorize")
{
let Some(expression) = quoted_strings(annotation).into_iter().next() else {
continue;
};
if expression.contains("isAuthenticated") {
calls.push(CallSite {
name: "isAuthenticated".to_string(),
args: vec![expression.clone()],
span,
args_value_refs: Vec::new(),
});
}
if let Some((name, args)) = parse_expression_call(&expression) {
calls.push(CallSite {
name,
args,
span,
args_value_refs: Vec::new(),
});
}
}
}
calls
}
fn parse_expression_call(expression: &str) -> Option<(String, Vec<String>)> {
for candidate in ["hasRole", "hasAuthority"] {
if let Some(args) = named_call_args(expression, candidate) {
return Some((candidate.to_string(), args));
}
}
let open_idx = expression.find('(')?;
let close_idx = expression.rfind(')')?;
if close_idx <= open_idx {
return None;
}
let prefix = expression[..open_idx].trim();
let name = prefix
.trim_start_matches('@')
.rsplit('.')
.next()
.unwrap_or(prefix)
.trim();
if name.is_empty() {
return None;
}
let args = expression[open_idx + 1..close_idx]
.split(',')
.map(str::trim)
.filter(|arg| !arg.is_empty())
.map(|arg| arg.to_string())
.collect::<Vec<_>>();
Some((name.to_string(), args))
}
fn named_call_args(expression: &str, name: &str) -> Option<Vec<String>> {
let needle = format!("{name}(");
let start = expression.find(&needle)?;
let args = &expression[start + needle.len()..];
let end = args.find(')')?;
let values = args[..end]
.split(',')
.map(|arg| arg.trim().trim_matches('\'').trim_matches('"'))
.filter(|arg| !arg.is_empty())
.map(|arg| arg.to_string())
.collect::<Vec<_>>();
Some(values)
}
fn quoted_strings(input: &str) -> Vec<String> {
let mut out = Vec::new();
let mut current = String::new();
let mut quote = None;
for ch in input.chars() {
match quote {
Some(active) if ch == active => {
out.push(current.clone());
current.clear();
quote = None;
}
Some(_) => current.push(ch),
None if ch == '\'' || ch == '"' => {
quote = Some(ch);
}
None => {}
}
}
out
}

780
src/auth_analysis/mod.rs Normal file
View file

@ -0,0 +1,780 @@
pub mod checks;
pub mod config;
pub mod extract;
pub mod model;
pub mod sql_semantics;
use crate::commands::scan::Diag;
use crate::evidence::{Confidence, Evidence, SpanEvidence};
use crate::patterns::FindingCategory;
use crate::ssa::type_facts::TypeKind;
use crate::summary::GlobalSummaries;
use crate::symbol::{FuncKey, Lang, normalize_namespace};
use crate::utils::Config;
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::Tree;
fn byte_offset_to_point(tree: &Tree, byte: usize) -> tree_sitter::Point {
tree.root_node()
.descendant_for_byte_range(byte, byte)
.map(|node| node.start_position())
.unwrap_or(tree_sitter::Point { row: 0, column: 0 })
}
/// Per-file snapshot of SSA-derived variable types, keyed by
/// source-level variable name. Built at `run_auth_analysis` call sites
/// by merging type facts across all bodies in the file; a variable name
/// with conflicting types in different bodies is dropped (absence is
/// safe — the sink gate just falls back to name-based classification).
pub type VarTypes = HashMap<String, TypeKind>;
#[allow(clippy::too_many_arguments)]
pub fn run_auth_analysis(
tree: &Tree,
source: &[u8],
lang: &str,
file_path: &Path,
cfg: &Config,
var_types: Option<&VarTypes>,
global_summaries: Option<&GlobalSummaries>,
scan_root: Option<&Path>,
) -> Vec<Diag> {
let rules = config::build_auth_rules(cfg, lang);
if !rules.enabled {
return Vec::new();
}
let mut model = extract::extract_authorization_model(
lang,
cfg.framework_ctx.as_ref(),
tree,
source,
file_path,
&rules,
);
// Refine `SensitiveOperation::sink_class` using SSA-derived
// variable types. Runs only when the caller supplied `var_types`
// (skipped for slug-lookup / unit-test call sites).
if let Some(types) = var_types {
apply_var_types_to_model(&mut model, &rules, types);
}
// Lift per-function auth-check summaries and synthesise call-site
// `AuthCheck`s in callers, so a handler that delegates to a helper
// which internally validates ownership is recognised as
// auth-checked. Iterated to a small fixpoint so transitive helper
// chains are also covered; consults `global_summaries.auth_by_key`
// (when provided) for cross-file helpers that live in other files.
apply_helper_lifting(&mut model, lang, file_path, scan_root, global_summaries);
if model.routes.is_empty() && model.units.is_empty() {
return Vec::new();
}
checks::run_checks(&model, &rules)
.into_iter()
.map(|finding| auth_finding_to_diag(&finding, tree, file_path))
.collect()
}
/// Build per-function [`model::AuthCheckSummary`] entries for every
/// unit in `model`, keyed by a canonical [`FuncKey`] derived from the
/// enclosing file's path and the unit's leaf name + arity.
///
/// Used by pass 1 to persist per-file auth summaries for cross-file
/// helper lifting. Only returns summaries for units whose body
/// already proves at least one positional parameter under ownership /
/// membership / admin / authorization check — i.e. the exact
/// single-file lift set, so the cross-file variant does not widen what
/// counts as a helper.
pub fn extract_auth_summaries_by_key(
tree: &Tree,
source: &[u8],
lang: &str,
file_path: &Path,
cfg: &Config,
scan_root: Option<&Path>,
) -> Vec<(FuncKey, model::AuthCheckSummary)> {
let rules = config::build_auth_rules(cfg, lang);
if !rules.enabled {
return Vec::new();
}
let model = extract::extract_authorization_model(
lang,
cfg.framework_ctx.as_ref(),
tree,
source,
file_path,
&rules,
);
summaries_keyed_by_func(&model, lang, file_path, scan_root)
}
/// Convert an already-built [`model::AuthorizationModel`] into a
/// canonical `(FuncKey, AuthCheckSummary)` list suitable for
/// persistence. Shares the per-unit summary-building logic with
/// [`build_helper_summaries`] so single-file and cross-file lifts
/// accept the exact same set of helpers.
fn summaries_keyed_by_func(
model: &model::AuthorizationModel,
lang: &str,
file_path: &Path,
scan_root: Option<&Path>,
) -> Vec<(FuncKey, model::AuthCheckSummary)> {
let Some(lang_enum) = Lang::from_slug(lang) else {
return Vec::new();
};
let path_str = file_path.to_string_lossy();
let root_str = scan_root.map(|r| r.to_string_lossy().into_owned());
let namespace = normalize_namespace(&path_str, root_str.as_deref());
let mut out = Vec::new();
for unit in &model.units {
let Some(name) = unit.name.as_deref() else {
continue;
};
if name.is_empty() {
continue;
}
let Some(summary) = build_unit_summary(unit) else {
continue;
};
let leaf = name.rsplit('.').next().unwrap_or(name).to_string();
let key = FuncKey {
lang: lang_enum,
namespace: namespace.clone(),
container: String::new(),
name: leaf,
arity: Some(unit.params.len()),
disambig: None,
kind: crate::symbol::FuncKind::Function,
};
out.push((key, summary));
}
out
}
/// Build an [`model::AuthCheckSummary`] for a single
/// [`model::AnalysisUnit`]. Returns `None` when the unit produces no
/// usable param → auth-kind mapping, so callers can cheaply skip
/// persisting empty entries.
fn build_unit_summary(unit: &model::AnalysisUnit) -> Option<model::AuthCheckSummary> {
use model::{AuthCheckKind, AuthCheckSummary};
if unit.params.is_empty() {
return None;
}
let mut summary = AuthCheckSummary::default();
for check in &unit.auth_checks {
if matches!(
check.kind,
AuthCheckKind::LoginGuard | AuthCheckKind::TokenExpiry | AuthCheckKind::TokenRecipient
) {
continue;
}
for subject in &check.subjects {
let Some(candidate) = subject_lift_key(subject) else {
continue;
};
if let Some(idx) = unit.params.iter().position(|p| p == &candidate) {
summary
.param_auth_kinds
.entry(idx)
.and_modify(|existing| {
*existing = stronger_check_kind(*existing, check.kind);
})
.or_insert(check.kind);
}
}
}
if summary.param_auth_kinds.is_empty() {
None
} else {
Some(summary)
}
}
/// Walk every `SensitiveOperation` in the model and, when the call's
/// receiver root variable has a known SSA type, override `sink_class`
/// to the type-implied class. Strictly additive — only overrides
/// when the type map produces a definite class, otherwise leaves the
/// name/prefix-derived classification intact.
fn apply_var_types_to_model(
model: &mut model::AuthorizationModel,
rules: &config::AuthAnalysisRules,
var_types: &VarTypes,
) {
for unit in &mut model.units {
for op in &mut unit.operations {
let Some(first) = receiver_root(&op.callee) else {
continue;
};
let Some(ty) = var_types.get(first) else {
continue;
};
if let Some(new_class) = sink_class_for_type(ty, &op.callee, rules) {
op.sink_class = Some(new_class);
}
}
}
}
/// First segment of a callee's receiver chain (`map.insert` → `"map"`,
/// `self.cache.set` → `"self"`). Returns `None` when the callee has no
/// receiver (e.g. a free function call).
fn receiver_root(callee: &str) -> Option<&str> {
let (first, rest) = callee.split_once('.')?;
if rest.is_empty() {
return None;
}
if first.is_empty() { None } else { Some(first) }
}
/// Map an inferred [`TypeKind`] to the [`model::SinkClass`] that should
/// supersede the callee-name classification. The DB case disambiguates
/// read vs mutation using the callee's verb; non-security types return
/// `None` so the caller leaves the existing class in place.
fn sink_class_for_type(
ty: &TypeKind,
callee: &str,
rules: &config::AuthAnalysisRules,
) -> Option<model::SinkClass> {
match ty {
TypeKind::LocalCollection => Some(model::SinkClass::InMemoryLocal),
TypeKind::HttpClient => Some(model::SinkClass::OutboundNetwork),
TypeKind::DatabaseConnection => {
if rules.is_read(callee) && !rules.is_mutation(callee) {
Some(model::SinkClass::DbCrossTenantRead)
} else {
Some(model::SinkClass::DbMutation)
}
}
_ => None,
}
}
/// Build per-function `AuthCheckSummary` and synthesise `AuthCheck`s
/// at every call site that targets a known helper whose summary names
/// auth-checked params. Iterated to a small fixpoint
/// so transitive helper chains (`handler → validate → require_member`)
/// are also covered.
///
/// The synthesised AuthCheck inherits the helper-param's check kind
/// and is anchored at the call site's line, with subjects = the
/// caller's value-refs from the corresponding positional argument.
/// `auth_check_covers_subject` then matches them against downstream
/// sensitive operations exactly like a real prior auth check.
///
/// When `global_summaries` is `Some`, cross-file helpers are looked up
/// via [`GlobalSummaries::get_auth`] after the same-file summary
/// gather — this recovers the handler-in-file-A calling
/// `require_owner`-in-file-B case that single-file lifting cannot see.
fn apply_helper_lifting(
model: &mut model::AuthorizationModel,
lang: &str,
file_path: &Path,
scan_root: Option<&Path>,
global_summaries: Option<&GlobalSummaries>,
) {
use std::collections::HashSet;
let caller_lang = Lang::from_slug(lang);
let path_str = file_path.to_string_lossy();
let root_str = scan_root.map(|r| r.to_string_lossy().into_owned());
let caller_namespace = normalize_namespace(&path_str, root_str.as_deref());
const MAX_ROUNDS: usize = 4;
for _ in 0..MAX_ROUNDS {
let summaries = build_helper_summaries(model);
let have_same_file = !summaries.is_empty();
let have_cross_file =
global_summaries.is_some_and(|gs| gs.auth_by_key().is_some()) && caller_lang.is_some();
if !have_same_file && !have_cross_file {
return;
}
let mut added = false;
// For each unit, compute synthetic checks BEFORE mutating, so
// a helper-call inside one unit doesn't see synthetic checks
// we add to a sibling in the same round (those land in the
// next iteration via the rebuilt summaries).
let synth: Vec<(usize, Vec<model::AuthCheck>)> = model
.units
.iter()
.enumerate()
.map(|(idx, unit)| {
let mut out = synthesise_checks_for_unit(unit, &summaries);
if have_cross_file
&& let (Some(gs), Some(lang_enum)) = (global_summaries, caller_lang)
{
out.extend(synthesise_cross_file_checks_for_unit(
unit,
&summaries,
gs,
lang_enum,
&caller_namespace,
));
}
(idx, out)
})
.collect();
let mut existing_keys_per_unit: Vec<HashSet<((usize, usize), model::AuthCheckKind)>> =
model
.units
.iter()
.map(|u| {
u.auth_checks
.iter()
.map(|c| (c.span, c.kind))
.collect::<HashSet<_>>()
})
.collect();
for (idx, checks) in synth {
for check in checks {
let key = (check.span, check.kind);
if existing_keys_per_unit[idx].insert(key) {
model.units[idx].auth_checks.push(check);
added = true;
}
}
}
if !added {
return;
}
}
}
/// Build a `name → AuthCheckSummary` map by walking each unit's auth
/// checks and recording, for every check subject whose value-ref name
/// matches a positional parameter name of the unit, that param index
/// → check kind. Same key with different kinds collapses to the most
/// specific (Ownership/Membership wins over Other).
fn build_helper_summaries(
model: &model::AuthorizationModel,
) -> std::collections::HashMap<String, model::AuthCheckSummary> {
use model::{AuthCheckKind, AuthCheckSummary};
use std::collections::HashMap;
let mut summaries: HashMap<String, AuthCheckSummary> = HashMap::new();
for unit in &model.units {
let Some(name) = unit.name.as_deref() else {
continue;
};
if name.is_empty() || unit.params.is_empty() {
continue;
}
let mut summary = AuthCheckSummary::default();
for check in &unit.auth_checks {
// We only lift checks that actively prove ownership /
// membership / admin-rights / authorize-helper — login
// and token-validity checks don't justify foreign-id
// mutations and we want to keep parity with
// `has_prior_subject_auth`'s filter.
if matches!(
check.kind,
AuthCheckKind::LoginGuard
| AuthCheckKind::TokenExpiry
| AuthCheckKind::TokenRecipient
) {
continue;
}
for subject in &check.subjects {
let candidate = subject_lift_key(subject);
let Some(candidate) = candidate else { continue };
if let Some(idx) = unit.params.iter().position(|p| p == &candidate) {
summary
.param_auth_kinds
.entry(idx)
.and_modify(|existing| {
*existing = stronger_check_kind(*existing, check.kind);
})
.or_insert(check.kind);
}
}
}
if !summary.param_auth_kinds.is_empty() {
// Deduplicate by last segment of the function name — the
// lifting site matches the call's last segment too.
let last = name.rsplit('.').next().unwrap_or(name).to_string();
summaries
.entry(last)
.or_default()
.param_auth_kinds
.extend(summary.param_auth_kinds);
}
}
summaries
}
/// Pick the identifier name for a check subject for purposes of
/// matching to the enclosing function's parameters. We prefer the
/// `base` segment of a member-chain subject (`row.user_id` → `row`)
/// because helpers usually receive the full struct, not the field;
/// fall back to the raw `name` for plain identifiers.
fn subject_lift_key(subject: &model::ValueRef) -> Option<String> {
if let Some(base) = subject.base.as_deref() {
let first = base.split('.').next().unwrap_or(base).trim();
if !first.is_empty() {
return Some(first.to_string());
}
}
if subject.name.is_empty() {
None
} else {
Some(
subject
.name
.split('.')
.next()
.unwrap_or(&subject.name)
.to_string(),
)
}
}
fn stronger_check_kind(a: model::AuthCheckKind, b: model::AuthCheckKind) -> model::AuthCheckKind {
use model::AuthCheckKind::*;
fn rank(k: model::AuthCheckKind) -> u8 {
match k {
Ownership => 5,
Membership => 4,
AdminGuard => 3,
Other => 2,
LoginGuard => 1,
TokenExpiry | TokenRecipient => 0,
}
}
if rank(a) >= rank(b) { a } else { b }
}
/// For one unit, synthesise an `AuthCheck` at every call site that
/// targets a helper with a non-trivial summary. Subjects are taken
/// from `call_site.args_value_refs[K]` for each auth-checked param
/// position K — these are the caller's concrete subjects passed at
/// that arg slot, exactly what `auth_check_covers_subject` needs.
fn synthesise_checks_for_unit(
unit: &model::AnalysisUnit,
summaries: &std::collections::HashMap<String, model::AuthCheckSummary>,
) -> Vec<model::AuthCheck> {
let line_of = |span: (usize, usize)| -> usize {
// Span is byte offsets; we don't have direct access to a Tree
// here. Caller assigns line via `line` field on call_site
// through CallSite metadata absence — fall back to the unit's
// line since covers_subject uses `check.line <= op.line` and
// helper calls are typically near the unit start.
let _ = span;
unit.line
};
let mut out = Vec::new();
for call in &unit.call_sites {
let last = call.name.rsplit('.').next().unwrap_or(&call.name);
let Some(summary) = summaries.get(last) else {
continue;
};
// A call to the unit itself shouldn't lift anything (would
// produce a tautological self-cover).
if unit.name.as_deref() == Some(last) {
continue;
}
// Build subjects from the auth-checked param positions.
let mut subjects: Vec<model::ValueRef> = Vec::new();
let mut effective_kind = model::AuthCheckKind::Other;
for (param_idx, kind) in &summary.param_auth_kinds {
let Some(arg_refs) = call.args_value_refs.get(*param_idx) else {
continue;
};
subjects.extend(arg_refs.iter().cloned());
effective_kind = stronger_check_kind(effective_kind, *kind);
}
if subjects.is_empty() {
continue;
}
let line = call_site_line(unit, call).unwrap_or_else(|| line_of(call.span));
out.push(model::AuthCheck {
kind: effective_kind,
callee: format!("(lifted {})", call.name),
subjects,
span: call.span,
line,
args: call.args.clone(),
condition_text: None,
});
}
out
}
/// Approximate the call site's line. We don't have tree access here,
/// so we walk the unit's existing operations / call_sites to find one
/// whose span starts at the same byte offset and reuse its line; if
/// nothing matches we conservatively report the unit's start line so
/// the synthetic check still satisfies `check.line <= op.line` for
/// operations declared after it. In practice, helper calls always
/// resolve via the operations match because handlers register their
/// own call_site too.
fn call_site_line(unit: &model::AnalysisUnit, call: &model::CallSite) -> Option<usize> {
for op in &unit.operations {
if op.span.0 == call.span.0 {
return Some(op.line);
}
}
None
}
/// Cross-file variant of [`synthesise_checks_for_unit`] — for each
/// call site in `unit`, resolve the callee against `GlobalSummaries`
/// and look up an `AuthCheckSummary` that was persisted by some other
/// file's pass-1 extraction. Skips call sites already handled by the
/// single-file map (`same_file_summaries`) so we do not double-lift
/// the same call.
///
/// The synthesised check carries the same shape as the single-file
/// version: subjects come from `call.args_value_refs[K]` at each
/// auth-checked param position K, effective kind is the strongest
/// check kind across those positions, and the `(lifted cross-file
/// <name>)` callee string distinguishes cross-file lifts in
/// diagnostics.
fn synthesise_cross_file_checks_for_unit(
unit: &model::AnalysisUnit,
same_file_summaries: &std::collections::HashMap<String, model::AuthCheckSummary>,
gs: &GlobalSummaries,
caller_lang: Lang,
caller_namespace: &str,
) -> Vec<model::AuthCheck> {
let mut out = Vec::new();
for call in &unit.call_sites {
let last = call.name.rsplit('.').next().unwrap_or(&call.name);
if unit.name.as_deref() == Some(last) {
continue;
}
// Skip if the single-file map already handled this callee —
// that path has richer same-file context (existing
// summaries from sibling units in this model) and its
// synthesised check is strictly more precise.
if same_file_summaries.contains_key(last) {
continue;
}
let arity_hint = Some(call.args.len());
let key = match gs.resolve_callee_key(last, caller_lang, caller_namespace, arity_hint) {
crate::summary::CalleeResolution::Resolved(key) => key,
_ => continue,
};
// Auth summaries are persisted with a canonical key:
// `disambig=None`, `container=""`, `kind=Function`. Normalise
// the resolver's key to that canonical shape before looking up
// so a byte-offset or DFS-index `disambig` on the resolved key
// doesn't cause a trivial miss.
let mut canonical = key.clone();
canonical.disambig = None;
canonical.container = String::new();
canonical.kind = crate::symbol::FuncKind::Function;
let Some(summary) = gs.get_auth(&canonical) else {
continue;
};
let mut subjects: Vec<model::ValueRef> = Vec::new();
let mut effective_kind = model::AuthCheckKind::Other;
for (param_idx, kind) in &summary.param_auth_kinds {
let Some(arg_refs) = call.args_value_refs.get(*param_idx) else {
continue;
};
subjects.extend(arg_refs.iter().cloned());
effective_kind = stronger_check_kind(effective_kind, *kind);
}
if subjects.is_empty() {
continue;
}
let line = call_site_line(unit, call).unwrap_or(unit.line);
out.push(model::AuthCheck {
kind: effective_kind,
callee: format!("(lifted cross-file {})", call.name),
subjects,
span: call.span,
line,
args: call.args.clone(),
condition_text: None,
});
}
out
}
fn auth_finding_to_diag(finding: &checks::AuthFinding, tree: &Tree, file_path: &Path) -> Diag {
let point = byte_offset_to_point(tree, finding.span.0);
Diag {
path: file_path.to_string_lossy().into_owned(),
line: point.row + 1,
col: point.column + 1,
severity: finding.severity,
id: finding.rule_id.clone(),
category: FindingCategory::Security,
path_validated: false,
guard_kind: None,
message: Some(finding.message.clone()),
labels: vec![],
confidence: Some(Confidence::Medium),
evidence: Some(Evidence {
source: None,
sink: Some(SpanEvidence {
path: file_path.to_string_lossy().into_owned(),
line: (point.row + 1) as u32,
col: (point.column + 1) as u32,
kind: "sink".into(),
snippet: None,
}),
guards: vec![],
sanitizers: vec![],
state: None,
notes: vec![],
..Default::default()
}),
rank_score: None,
rank_reason: None,
suppressed: false,
suppression: None,
rollup: None,
finding_id: String::new(),
alternative_finding_ids: Vec::new(),
}
}
#[cfg(test)]
mod tests {
use super::{VarTypes, apply_var_types_to_model, receiver_root, sink_class_for_type};
use crate::auth_analysis::config::build_auth_rules;
use crate::auth_analysis::model::{
AnalysisUnit, AnalysisUnitKind, AuthorizationModel, OperationKind, SensitiveOperation,
SinkClass,
};
use crate::ssa::type_facts::TypeKind;
use crate::utils::config::Config;
use std::collections::{HashMap, HashSet};
fn sample_op(callee: &str, initial: Option<SinkClass>) -> SensitiveOperation {
SensitiveOperation {
kind: OperationKind::Mutation,
sink_class: initial,
callee: callee.to_string(),
subjects: Vec::new(),
span: (0, 0),
line: 1,
text: callee.to_string(),
}
}
fn sample_unit(op: SensitiveOperation) -> AnalysisUnit {
AnalysisUnit {
kind: AnalysisUnitKind::Function,
name: Some("handle".into()),
span: (0, 0),
params: Vec::new(),
context_inputs: Vec::new(),
call_sites: Vec::new(),
auth_checks: Vec::new(),
operations: vec![op],
value_refs: Vec::new(),
condition_texts: Vec::new(),
line: 1,
row_field_vars: HashMap::new(),
self_actor_vars: HashSet::new(),
self_actor_id_vars: HashSet::new(),
authorized_sql_vars: HashSet::new(),
}
}
#[test]
fn receiver_root_returns_first_segment_only_for_chain_calls() {
assert_eq!(receiver_root("map.insert"), Some("map"));
assert_eq!(receiver_root("self.cache.insert"), Some("self"));
// Free function call (no receiver) → None.
assert_eq!(receiver_root("HashMap"), None);
assert_eq!(receiver_root("free_fn"), None);
// Empty chain segments → None.
assert_eq!(receiver_root("."), None);
assert_eq!(receiver_root(""), None);
}
#[test]
fn sink_class_for_type_maps_security_typekinds() {
let cfg = Config::default();
let rules = build_auth_rules(&cfg, "rust");
// LocalCollection always → InMemoryLocal.
assert_eq!(
sink_class_for_type(&TypeKind::LocalCollection, "whatever.insert", &rules),
Some(SinkClass::InMemoryLocal)
);
// HttpClient → OutboundNetwork.
assert_eq!(
sink_class_for_type(&TypeKind::HttpClient, "client.send", &rules),
Some(SinkClass::OutboundNetwork)
);
// DatabaseConnection: mutation verb → DbMutation.
assert_eq!(
sink_class_for_type(&TypeKind::DatabaseConnection, "conn.insert", &rules),
Some(SinkClass::DbMutation)
);
// DatabaseConnection: read-only verb → DbCrossTenantRead.
assert_eq!(
sink_class_for_type(&TypeKind::DatabaseConnection, "conn.get", &rules),
Some(SinkClass::DbCrossTenantRead)
);
// DatabaseConnection: unrecognized verb (`execute`) → DbMutation
// (conservative default — treat as write-shaped).
assert_eq!(
sink_class_for_type(&TypeKind::DatabaseConnection, "conn.execute", &rules),
Some(SinkClass::DbMutation)
);
// Non-security types → None (don't override).
assert_eq!(
sink_class_for_type(&TypeKind::String, "s.len", &rules),
None
);
assert_eq!(
sink_class_for_type(&TypeKind::Unknown, "x.frobnicate", &rules),
None
);
}
#[test]
fn apply_var_types_overrides_sink_class_for_known_receiver() {
let cfg = Config::default();
let rules = build_auth_rules(&cfg, "rust");
let mut model = AuthorizationModel::default();
// Initial sink class from B1 name-based classification (e.g.
// `results.insert` → DbMutation because `insert` matches the
// mutation list and `results` doesn't match any non-sink prefix).
model.units.push(sample_unit(sample_op(
"results.insert",
Some(SinkClass::DbMutation),
)));
let mut var_types: VarTypes = HashMap::new();
var_types.insert("results".into(), TypeKind::LocalCollection);
apply_var_types_to_model(&mut model, &rules, &var_types);
// B2 overrode to InMemoryLocal based on the SSA type.
assert_eq!(
model.units[0].operations[0].sink_class,
Some(SinkClass::InMemoryLocal)
);
}
#[test]
fn apply_var_types_leaves_classification_untouched_when_receiver_unknown() {
let cfg = Config::default();
let rules = build_auth_rules(&cfg, "rust");
let mut model = AuthorizationModel::default();
model.units.push(sample_unit(sample_op(
"db.insert",
Some(SinkClass::DbMutation),
)));
let var_types: VarTypes = HashMap::new();
apply_var_types_to_model(&mut model, &rules, &var_types);
// Unchanged — no entry in var_types for `db`.
assert_eq!(
model.units[0].operations[0].sink_class,
Some(SinkClass::DbMutation)
);
}
}

277
src/auth_analysis/model.rs Normal file
View file

@ -0,0 +1,277 @@
use serde::{Deserialize, Serialize};
use std::collections::{HashMap, HashSet};
use std::path::PathBuf;
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum Framework {
Express,
Koa,
Fastify,
Gin,
Echo,
Flask,
Django,
Spring,
Rails,
Sinatra,
Axum,
ActixWeb,
Rocket,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum HttpMethod {
Get,
Post,
Put,
Delete,
Patch,
All,
Use,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum AnalysisUnitKind {
RouteHandler,
Function,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub enum AuthCheckKind {
LoginGuard,
AdminGuard,
Ownership,
Membership,
TokenExpiry,
TokenRecipient,
Other,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum OperationKind {
Read,
Mutation,
TokenLookup,
}
/// Classification of a sensitive operation by the resource it targets.
/// `check_ownership_gaps` only fires on the first five classes —
/// `InMemoryLocal` is never authorization-relevant.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum SinkClass {
/// A write against a persistent datastore (SQL, ORM, or KV that
/// crosses tenant boundaries).
DbMutation,
/// A read against a persistent datastore that may return rows
/// belonging to another tenant without an explicit ownership check.
DbCrossTenantRead,
/// A publish / broadcast against a realtime bus (pub/sub, websocket
/// channel, event stream). Always auth-relevant because receivers
/// are typically scoped by tenant id.
RealtimePublish,
/// An outbound HTTP / RPC call whose target or payload can encode a
/// tenant-scoped identifier.
OutboundNetwork,
/// A cache read/write whose keys routinely cross tenant boundaries
/// (Redis / memcache / distributed cache client).
CacheCrossTenant,
/// A method call against a local, in-memory collection (HashMap,
/// HashSet, Vec, …) — never authorization-relevant.
InMemoryLocal,
}
impl SinkClass {
/// Does this sink class participate in the missing-ownership gate?
/// Only `InMemoryLocal` is excluded; all other classes are treated
/// as potential cross-tenant sinks.
pub fn is_auth_relevant(&self) -> bool {
!matches!(self, SinkClass::InMemoryLocal)
}
}
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ValueSourceKind {
RequestParam,
RequestBody,
RequestQuery,
Session,
Identifier,
MemberField,
TokenField,
ArrayIndex,
}
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct ValueRef {
pub source_kind: ValueSourceKind,
pub name: String,
pub base: Option<String>,
pub field: Option<String>,
pub index: Option<String>,
pub span: (usize, usize),
}
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct CallSite {
pub name: String,
pub args: Vec<String>,
pub span: (usize, usize),
/// Per-positional-argument value-refs. Populated only by the
/// structured `collect_call` path (the auxiliary
/// `call_site_from_node` constructor leaves this empty); used to
/// attribute synthesised helper-call auth checks to the concrete
/// subjects passed by the caller.
pub args_value_refs: Vec<Vec<ValueRef>>,
}
#[derive(Debug, Clone)]
pub struct AuthCheck {
pub kind: AuthCheckKind,
pub callee: String,
pub subjects: Vec<ValueRef>,
pub span: (usize, usize),
pub line: usize,
pub args: Vec<String>,
pub condition_text: Option<String>,
}
#[derive(Debug, Clone)]
pub struct SensitiveOperation {
pub kind: OperationKind,
/// Sink classification. `None` means the operation was recorded
/// for taxonomy completeness but does not match any known resource
/// class — defensive, and currently unused.
pub sink_class: Option<SinkClass>,
pub callee: String,
pub subjects: Vec<ValueRef>,
pub span: (usize, usize),
pub line: usize,
pub text: String,
}
#[derive(Debug, Clone)]
pub struct AnalysisUnit {
pub kind: AnalysisUnitKind,
pub name: Option<String>,
pub span: (usize, usize),
pub params: Vec<String>,
pub context_inputs: Vec<ValueRef>,
pub call_sites: Vec<CallSite>,
pub auth_checks: Vec<AuthCheck>,
pub operations: Vec<SensitiveOperation>,
pub value_refs: Vec<ValueRef>,
pub condition_texts: Vec<String>,
pub line: usize,
/// Map from local variable name to the row binding it was read from.
/// Populated when the extractor sees `let V = ROW.method(..)` or
/// `let V = ROW.field`. Used by `auth_check_covers_subject` so a
/// row-level ownership-equality check on the row implicitly covers
/// downstream uses of fields read from the same row.
pub row_field_vars: HashMap<String, String>,
/// Variables bound to an authenticated-user value. Populated from
/// `let V = require_auth(..).await?` (or any call matching the
/// configured login-guard / authorization-check names) and from
/// typed route-handler parameters (`CurrentUser`, `AuthUser`, …).
/// Consulted by `is_actor_context_subject` so `V.id`-shaped subjects
/// are treated as the caller's own id, not as a scoped foreign id.
pub self_actor_vars: HashSet<String>,
/// Variables holding the authenticated actor's identifier (transitive
/// copies of `V.id` / `V.user_id` / `V.uid` / `V.userId` for some
/// `V ∈ self_actor_vars`). Populated when the extractor sees
/// `let X = V.id` or `let X = (V.id as ..).into()` / `V.id.into()`
/// shapes — anywhere a route-handler reduces the authenticated
/// principal to a scalar id and reuses it as a SQL parameter.
/// Consulted by `is_actor_context_subject` so subjects whose `name`
/// is in this set count as actor context, not foreign scoped IDs.
pub self_actor_id_vars: HashSet<String>,
/// Local variables bound (directly or transitively) to a SQL query
/// whose literal text classifies as authorization-gated by
/// `sql_semantics::classify_sql_query`. Includes:
/// * the `let X = db.prepare(LIT)…` result var,
/// * the loop var of `for ROW in X`,
/// * column-binding vars `let Y = ROW.get(..)` whose receiver is
/// itself in this set.
///
/// `auth_check_covers_subject` walks `row_field_vars` transitively
/// and treats a subject as covered when the chain terminates in
/// one of these names.
pub authorized_sql_vars: HashSet<String>,
}
/// Per-function summary of which positional parameters are
/// auth-checked inside the function body. When a caller invokes this
/// function with `subject` at position K, and the summary says param
/// K has an auth check of kind `kind`, the caller's subject is
/// considered covered as if it were checked at the call site.
///
/// Serialises as a `Vec<(usize, AuthCheckKind)>` so same-shape on-disk
/// rows survive across HashMap iteration-order changes; the in-memory
/// type stays a HashMap for point-lookup efficiency.
#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct AuthCheckSummary {
#[serde(
serialize_with = "serialize_param_auth_kinds",
deserialize_with = "deserialize_param_auth_kinds"
)]
pub param_auth_kinds: HashMap<usize, AuthCheckKind>,
}
fn serialize_param_auth_kinds<S>(
map: &HashMap<usize, AuthCheckKind>,
serializer: S,
) -> Result<S::Ok, S::Error>
where
S: serde::Serializer,
{
use serde::ser::SerializeSeq;
let mut entries: Vec<(usize, AuthCheckKind)> =
map.iter().map(|(idx, kind)| (*idx, *kind)).collect();
entries.sort_by_key(|(idx, _)| *idx);
let mut seq = serializer.serialize_seq(Some(entries.len()))?;
for entry in entries {
seq.serialize_element(&entry)?;
}
seq.end()
}
fn deserialize_param_auth_kinds<'de, D>(
deserializer: D,
) -> Result<HashMap<usize, AuthCheckKind>, D::Error>
where
D: serde::Deserializer<'de>,
{
let entries: Vec<(usize, AuthCheckKind)> = Vec::deserialize(deserializer)?;
Ok(entries.into_iter().collect())
}
#[derive(Debug, Clone)]
pub struct RouteRegistration {
pub framework: Framework,
pub method: HttpMethod,
pub path: String,
pub middleware: Vec<String>,
pub handler_span: (usize, usize),
pub handler_params: Vec<String>,
pub file: PathBuf,
pub line: usize,
pub unit_idx: usize,
pub middleware_calls: Vec<CallSite>,
}
#[derive(Debug, Clone, Default)]
pub struct AuthorizationModel {
pub routes: Vec<RouteRegistration>,
pub units: Vec<AnalysisUnit>,
}
impl AuthorizationModel {
pub fn extend(&mut self, other: AuthorizationModel) {
let unit_offset = self.units.len();
self.units.extend(other.units);
self.routes
.extend(other.routes.into_iter().map(|mut route| {
route.unit_idx += unit_offset;
route
}));
}
}

334
src/auth_analysis/sql_semantics.rs Normal file
View file

@ -0,0 +1,334 @@
//! SQL literal semantics.
//!
//! A focused, lightweight SQL detector that classifies a literal SQL
//! query as **authorization-gated** when one of two patterns holds:
//!
//! 1. **JOIN-through-ACL**: `SELECT … FROM <T> JOIN <ACL> ON … WHERE
//! <ACL>.user_id = ?N` where `<ACL>` is in the configured ACL-table
//! list (`group_members`, `org_memberships`, …). The JOIN proves
//! that every returned row belongs to a tenant the bound `?N` user
//! is a member of.
//!
//! 2. **Direct ownership**: `WHERE … user_id = ?N` (with optional
//! additional predicates like `WHERE id = ?M AND user_id = ?N`).
//! The `user_id = ?N` predicate proves every returned row is owned
//! by the bound user.
//!
//! Detection is conservative: ambiguous shapes return `None`, and the
//! caller (in `extract::common::collect_row_population`) only synthesizes
//! an `AuthCheck` when classification is positive. False negatives
//! (missing real auth) are safe; false positives (spuriously claiming
//! auth) are not.
//!
//! No SQL parser dependency: the rules below operate on lower-cased
//! whitespace-normalised text and pattern-match the relevant clauses.
/// Classification of a literal SQL query for authorization purposes.
#[derive(Debug, Clone, PartialEq, Eq)]
pub enum SqlAuthClassification {
/// Query is auth-gated. The JOIN (or direct WHERE) pins returned
/// rows to the bound user. We don't track *which* bind position
/// here — the caller treats whichever bind value flows into the
/// query as the user-id witness; that's safe because the caller
/// already requires the row binding to come from a `let X = …`
/// site we can name.
Authorized,
}
/// Classify `sql` as auth-gated under the configured ACL tables.
/// Returns `Some(Authorized)` when one of the recognized patterns
/// holds, `None` otherwise (conservative — unknown shapes are treated
/// as unauthorized).
pub fn classify_sql_query(sql: &str, acl_tables: &[String]) -> Option<SqlAuthClassification> {
let normalized = normalize_sql(sql);
if !normalized.trim_start().starts_with("select") {
// For B3 we only authorize SELECT queries — INSERT/UPDATE/DELETE
// need their own analysis and aren't in scope. (A literal
// `DELETE … WHERE user_id = ?N` could be safely authorized,
// but the call sites we care about for FP suppression are
// reads.)
return None;
}
if matches_join_through_acl(&normalized, acl_tables) {
return Some(SqlAuthClassification::Authorized);
}
if matches_direct_user_id_predicate(&normalized) {
return Some(SqlAuthClassification::Authorized);
}
None
}
/// `SELECT … FROM <T> [AS] <ALIAS>? JOIN <ACL> [AS] <GA>? ON … WHERE
/// <GA?>.user_id = ?N` — verifies that an ACL table appears in a JOIN
/// clause and that the WHERE clause contains a `<…>.user_id = ?` (or
/// bare `user_id = ?`) predicate. Order of the WHERE predicates
/// doesn't matter; AND/OR connectors are ignored.
fn matches_join_through_acl(sql: &str, acl_tables: &[String]) -> bool {
let Some(where_idx) = sql.find(" where ") else {
return false;
};
let from_to_where = &sql[..where_idx];
let where_clause = &sql[where_idx + " where ".len()..];
let has_acl_join = acl_tables.iter().any(|t| {
let lower = t.to_ascii_lowercase();
// " join <acl>" or " join <acl> "
from_to_where.contains(&format!(" join {} ", lower))
|| from_to_where.ends_with(&format!(" join {}", lower))
|| from_to_where.contains(&format!(" inner join {} ", lower))
|| from_to_where.contains(&format!(" left join {} ", lower))
|| from_to_where.contains(&format!(" right join {} ", lower))
});
if !has_acl_join {
return false;
}
where_clause_contains_user_id_bind(where_clause)
}
/// Direct ownership: `SELECT … FROM <T> WHERE … user_id = ?N` — no
/// JOIN. Covers single-table reads where the row already carries the
/// owning user id (`SELECT … FROM docs WHERE user_id = ?1`). We do
/// NOT require `id = ?M` to also be present; the `user_id = ?N`
/// predicate alone is sufficient, since any row returned must be
/// owned by the bound user.
///
/// Refuses to fire when a JOIN is present — the JOIN target may not
/// be in the ACL list, so the WHERE predicate (which may apply to
/// the joined table, e.g. `WHERE al.user_id = ?N` against an
/// `audit_log` JOIN) doesn't actually pin the primary rows to the
/// caller. The JOIN-through-ACL path handles those cases explicitly.
fn matches_direct_user_id_predicate(sql: &str) -> bool {
let Some(where_idx) = sql.find(" where ") else {
return false;
};
let from_to_where = &sql[..where_idx];
if from_to_where.contains(" join ") {
return false;
}
let where_clause = &sql[where_idx + " where ".len()..];
where_clause_contains_user_id_bind(where_clause)
}
/// Does the WHERE clause contain `<table?>.user_id = ?<digits>` (or
/// `<table?>.user_id = $<digits>` for postgres-style placeholders, or
/// `<table?>.user_id = :name` for named binds)? The optional table
/// qualifier handles `gm.user_id` (alias-qualified) and bare `user_id`.
fn where_clause_contains_user_id_bind(where_clause: &str) -> bool {
// Strip ORDER BY / LIMIT / GROUP BY / HAVING tails so we don't
// hunt past the WHERE clause for a `user_id = ?` that isn't
// actually a predicate.
let where_only = strip_trailing_clauses(where_clause);
let needles = ["user_id", "userid"];
for needle in needles {
for (idx, _) in where_only.match_indices(needle) {
// Make sure this is a column boundary on the left side
// (avoid matching `posted_user_id` or `target_user_id`
// — those don't pin to the actor).
let before = where_only[..idx].chars().last();
if !is_column_boundary_left(before) {
continue;
}
// Skip past `user_id`. Trim whitespace then look for `=`.
let rest = &where_only[idx + needle.len()..];
let rest = rest.trim_start();
if !rest.starts_with('=') {
continue;
}
let after_eq = rest[1..].trim_start();
if looks_like_bind_param(after_eq) {
return true;
}
}
}
false
}
fn is_column_boundary_left(ch: Option<char>) -> bool {
match ch {
None => true,
Some(c) => matches!(c, ' ' | '\t' | '(' | '.' | ',' | '\n' | '\r'),
}
}
fn looks_like_bind_param(after_eq: &str) -> bool {
let bytes = after_eq.as_bytes();
if bytes.is_empty() {
return false;
}
match bytes[0] {
// ?N (sqlite/sqlx anonymous) — accept ?, ?1, ?2…
b'?' => true,
// $N (postgres style) — require a digit after.
b'$' => bytes.get(1).is_some_and(|b| b.is_ascii_digit()),
// :name (named bind) — require an identifier char after.
b':' => bytes
.get(1)
.is_some_and(|b| b.is_ascii_alphabetic() || *b == b'_'),
_ => false,
}
}
/// Cut off ORDER BY / LIMIT / GROUP BY / HAVING tails so the WHERE
/// scan stays inside the predicate region.
fn strip_trailing_clauses(where_clause: &str) -> &str {
let candidates = [" order by ", " limit ", " group by ", " having "];
let mut end = where_clause.len();
for cand in candidates {
if let Some(idx) = where_clause.find(cand) {
end = end.min(idx);
}
}
&where_clause[..end]
}
/// Lower-case + collapse whitespace + flatten line breaks so the
/// patterns above can use single-space tokens.
fn normalize_sql(sql: &str) -> String {
let mut out = String::with_capacity(sql.len());
let mut prev_space = true;
// Surround with leading/trailing space so " where " etc. searches
// hit boundary cases at the very start/end.
out.push(' ');
for ch in sql.chars() {
if ch.is_whitespace() {
if !prev_space {
out.push(' ');
prev_space = true;
}
} else {
out.push(ch.to_ascii_lowercase());
prev_space = false;
}
}
if !out.ends_with(' ') {
out.push(' ');
}
out
}
#[cfg(test)]
mod tests {
use super::{SqlAuthClassification, classify_sql_query};
fn acl() -> Vec<String> {
vec![
"group_members".into(),
"org_memberships".into(),
"workspace_members".into(),
"tenant_members".into(),
"members".into(),
"share_grants".into(),
]
}
#[test]
fn join_through_group_members_with_user_bind_is_authorized() {
let sql = "SELECT d.id, d.group_id, d.title \
FROM docs d \
JOIN group_members gm ON gm.group_id = d.group_id \
WHERE gm.user_id = ?1 \
ORDER BY d.updated_at DESC";
assert_eq!(
classify_sql_query(sql, &acl()),
Some(SqlAuthClassification::Authorized)
);
}
#[test]
fn join_through_workspace_members_with_postgres_bind() {
let sql = "SELECT t.* \
FROM tickets t \
INNER JOIN workspace_members wm ON wm.workspace_id = t.workspace_id \
WHERE wm.user_id = $1";
assert_eq!(
classify_sql_query(sql, &acl()),
Some(SqlAuthClassification::Authorized)
);
}
#[test]
fn direct_user_id_predicate_is_authorized() {
let sql = "SELECT id, name FROM peers WHERE user_id = ?1";
assert_eq!(
classify_sql_query(sql, &acl()),
Some(SqlAuthClassification::Authorized)
);
}
#[test]
fn direct_id_and_user_id_predicate_is_authorized() {
let sql = "SELECT title FROM docs WHERE id = ?1 AND user_id = ?2";
assert_eq!(
classify_sql_query(sql, &acl()),
Some(SqlAuthClassification::Authorized)
);
}
#[test]
fn named_bind_is_authorized() {
let sql = "SELECT * FROM peers WHERE user_id = :uid";
assert_eq!(
classify_sql_query(sql, &acl()),
Some(SqlAuthClassification::Authorized)
);
}
#[test]
fn join_against_non_acl_table_is_not_authorized() {
// `audit_log` is not in the configured ACL list — JOIN doesn't
// pin rows to the bound user, so the query is unauthorized.
let sql = "SELECT d.* FROM docs d \
JOIN audit_log al ON al.doc_id = d.id \
WHERE al.user_id = ?1";
assert_eq!(classify_sql_query(sql, &acl()), None);
}
#[test]
fn select_without_user_id_predicate_is_not_authorized() {
let sql = "SELECT * FROM docs WHERE id = ?1";
assert_eq!(classify_sql_query(sql, &acl()), None);
}
#[test]
fn non_select_query_is_not_authorized() {
// INSERT/UPDATE/DELETE are not in scope for B3 even when the
// WHERE clause names the user.
let sql = "DELETE FROM docs WHERE user_id = ?1";
assert_eq!(classify_sql_query(sql, &acl()), None);
}
#[test]
fn similar_column_names_do_not_trip_user_id_match() {
// `posted_user_id` shouldn't satisfy the `user_id = ?` check —
// that column doesn't pin to the actor.
let sql = "SELECT * FROM posts WHERE posted_user_id = ?1";
assert_eq!(classify_sql_query(sql, &acl()), None);
}
#[test]
fn order_by_after_user_id_is_handled() {
let sql = "SELECT * FROM peers WHERE user_id = ?1 ORDER BY created_at DESC LIMIT 50";
assert_eq!(
classify_sql_query(sql, &acl()),
Some(SqlAuthClassification::Authorized)
);
}
#[test]
fn empty_acl_list_disables_join_pattern_but_keeps_direct() {
let join_sql = "SELECT * FROM docs d \
JOIN group_members gm ON gm.group_id = d.group_id \
WHERE gm.user_id = ?1";
let direct_sql = "SELECT * FROM peers WHERE user_id = ?1";
let empty: Vec<String> = Vec::new();
// No ACL configured → join pattern can't fire, but direct
// predicate still authorizes.
assert_eq!(classify_sql_query(join_sql, &empty), None);
assert_eq!(
classify_sql_query(direct_sql, &empty),
Some(SqlAuthClassification::Authorized)
);
}
}