apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-18 20:15:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

Release/0.5.0 (#35)

Browse source 
* feat: Introduce function-scoped variable interning for state analysis with new tests and fixtures

* feat: Add Phase 26 symbolic execution enhancements with bitwise operator support, abstract interpretation refinements, and new taint analysis tests

* feat: Refine state analysis to handle factory-pattern resource returns with mixed-path tests and leak detection enhancements

* feat: Add Phase 27 debug views with symbolic execution, abstract interpretation, SSA, and call graph viewers; integrate with debug layout and styles

* feat: Add Phase 31 type-qualified symbolic resolution with receiver-based callee disambiguation and testing

* feat: Extend symbolic execution with state iteration, enhanced debug views, and debounced input handling

* feat: Add Phase 13 resource and auth pattern extensions with new tests and fixtures

* feat: Introduce CFG debug graph renderer with compact mode, toolbar, and DAG layout integration

* feat: Add Phase 28 encoding and decoding transform modeling with structural symex enhancements and new taint analysis tests

* feat: Extend abstract interpretation with type facts and constant value tracking in debug views and server logic

* feat: Add linear path handling and witness extraction to symbolic execution with Phase 28 transform mismatch detection

* feat: Refine Go auth and sanitizer handling with enhanced rules, state updates, and benchmark improvements

* feat: Enable auth-state analysis by default and update relevant tests in benchmark config

* test: Update state_tests to reflect default enablement of auth-state analysis and add auth suppression test

* docs: update CHANGELOG.md

* feat: Introduce per-index taint tracking in `HeapState` with `HeapSlot`, overflow handling, and revised SSA transfers

* feat: Introduce C/C++ language labels and refine heap state tracking in SSA transfers

* feat: Implement per-index array slot tracking in symbolic heap with overflow collapse

* feat: Add implicit definition handling for uninitialized declarations in SSA value allocation

* feat: Refactor function parameters and constants for improved clarity and maintainability

* refactor: Reorder module imports and improve formatting for consistency

* refactor: Fix formatting erorrs

* refactor: Fix clippy warnings

* refactor: Fix fmt warnings (again)

* chore: Update dependencies and improve feature configuration

* Add comprehensive tests for undertested modules (#36) (COPILOT)

* Add comprehensive tests for undertested modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

* Add comprehensive tests for ext, project, walk, and errors modules

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/f3fc877e-f386-49ba-9793-fc93d3805083

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: Update dependencies and improve feature configuration

* fix: formatting errors in new tests

* chore: Update license list in about.toml

* chore: made functions input inline

* chore: updated cfg graph to take up the full page

* chore: add Prettier configuration and update code formatting

* Add frontend test suite with Vitest (111 tests) (#37)

* Add Vitest test suite for frontend - 111 tests across utils, components, hooks, and graph utilities

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/7cf0dba2-ecff-4740-ba4d-92717e74a0b7

* ci: add frontend test step to CI workflow

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/5bc0ac9f-0a32-4d03-9cb7-7a15aea53fca

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* chore: simplify array initialization in test files for consistency

* ran typecheck

* feat: add AnalysisWorkspace component and integrate it into CfgViewerPage

* feat: update routing in AppLayout and improve empty state message in ExplorerPage

* feat: enhance scan progress tracking with additional metrics and stages

* feat: update license information and add license check script

* feat: implement cross-file symbolic execution with callee body persistence

* feat: replace dagre graphs with Graphology + ELK + Sigma for more advanced call stack and cfg rendering

* feat: ensure CFG function view is scoped to the selected function, preventing bleed into sibling functions

* feat: enhance resource tracking with proxy method summaries and improve finding extraction

* feat: add terminal function exit detection for accurate resource leak analysis

* feat: add warnings for loops and functions without bodies to improve error recovery

* feat: update lambda expression handling to ensure proper function classification and control flow

* feat: remove bounded formatting/string ops and add JSON.parse sanitizer for improved data handling

* feat: add inline return taint analysis and regression tests for improved security checks

* feat: add engine version management and migration handling for database schema updates

* feat: enhance first_call_ident to skip nested function bodies and add regression tests

* feat: enhance callee name resolution with two-segment normalization and disambiguation

* feat: add cross-file context flags and debug assertions for taint analysis

* feat: refactor taint analysis structure to unify context handling and improve clarity

* feat: enhance dead code elimination to preserve Sink, Source, and Sanitizer labels with new tests

* docs: updated CHANGELOG.md

* fmt: formatting fixes

* fix: fixed frontend formatting and lint warnings

* fix: optimized ci

* fix: optimized ci

* Add comprehensive multi-file test coverage to Nyx (#38)

* Initial checklist for multi-file test suite expansion

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* Add 12 new multi-file test fixtures with TP/TN/near-miss coverage

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/e550cb88-9767-4442-94d4-101bf5bb0e23

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* deleted root repo

* rebuilt to test for regressions

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* feat: enhance import alias resolution and taint tracking

* feat: implement security hardening with CSRF protection and path validation

* feat: add support for import alias bindings in Python, PHP, and Rust

* feat: enhance CFG analysis modes and improve code readability

* feat: add detection for parameterized SQL queries to enhance security

* feat: add safe internal redirect handling and enhance session destroy validation

* feat: implement security improvements by addressing vulnerabilities in execAsync, session management, and file downloads

* feat: enhance taint detection by adding support for inline source member expressions in call arguments

* feat: implement pre-emission of Source nodes for inline source member expressions in call arguments

* feat: add support for Throw statement in control flow and error handling

* feat: add debug and echo endpoints with potential information leakage

* feat: implement internal redirect suppression and enhance taint detection

* feat: implement module alias tracking for dynamic dispatch in JS/TS

* feat: add authorization analysis module with Express support

* feat: add authorization analysis module with Express support

* feat: add tests for admin guard requirements and clean checks in authorization analysis

* feat: integrate Koa and Fastify frameworks into authorization analysis

* feat: add Flask and Django support to authorization analysis module

* feat: add support for Rails and Sinatra frameworks in authorization analysis

* feat: add support for Axum, ActixWeb, and Rocket frameworks in authorization analysis

* feat: add support for ActixWeb, Axum, and Rocket frameworks in authorization analysis

* feat: add support for Rails and Sinatra in authorization analysis

* chore: add .DS_Store to .gitignore

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: update usage of Option methods for improved clarity and consistency

* refactor: improve code readability by simplifying conditional checks and formatting

* refactor: improve code formatting and readability by simplifying conditional checks

* refactor: simplify conditional checks and improve readability in multiple files

* refactor: simplify conditional checks in axum.rs for improved readability

* feat: add CodeQL analysis configuration for enhanced security scanning

* test: add comprehensive tests for `src/output.rs` SARIF builder (#39)

* chore: start test coverage improvement work

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* test: add comprehensive tests for src/output.rs SARIF builder

Agent-Logs-Url: https://github.com/elicpeter/nyx/sessions/cd7ff398-134e-4728-a5e7-0353a0744423

Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>

* refactor: improve code formatting and readability in output.rs

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: elicpeter <54954007+elicpeter@users.noreply.github.com>
Co-authored-by: elipeter <elicpeter@gmail.com>

* refactor: improve code formatting and readability in output.rs

* Potential fix for code scanning alert no. 210: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* Potential fix for code scanning alert no. 211: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* refactor: enhance triage file path handling with improved error management and validation

* refactor: updated func summaries for richer detail

* refactor: update SSA summary extraction to use canonical FuncKey for distinct entries

* refactor: enhance callee metadata structure to support arity, receiver, and qualifier for better overload resolution

* refactor: add support for keyword arguments in function calls and enhance receiver extraction for method-style calls

* refactor: implement new Flask routes for safe and unsafe shell command execution

* refactor: separate receiver handling in SSA operations and enhance taint propagation

* refactor: improve arity handling by using arg_uses for positional argument count and enhance witness scoring for tainted arguments

* refactor: implement auth decorator extraction and classification for multiple languages

* refactor: enhance Rust module path resolution and use map handling for cross-file disambiguation

* refactor: introduce CalleeQuery struct for structured callee resolution and enhance resolver logic

* refactor: implement same-file identity collision handling for `runTask` to ensure correct resolver behavior

* refactor: standardize default struct initialization across multiple files

* feat: add scripts for formatting checks and auto-fixes with test summaries

* refactor: simplify character splitting and enhance namespace qualifier handling

* refactor: improve documentation clarity and enhance code readability in resolver logic

* refactor: replace default struct initialization with explicit field assignments for clarity

* feat: enhance anonymous function naming by deriving context-based bindings

* refactor: streamline match expressions for improved readability and performance

* refactor: streamline match expressions for improved readability and performance

* refactor: replace loop with while let for improved clarity and performance

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: add SSA constant propagation support to analysis context for improved accuracy

* feat: implement shell metacharacter validation and bounded-length checks in Rust analysis

* feat: add static map analysis for command injection suppression and type safety

* refactor: simplify match statements and reduce line breaks for improved readability

* feat(summary): phase 1/5 SinkSite data model for primary sink-location attribution

Introduce SinkSite (file_rel, line, col, snippet, cap) carrying the
primary sink source-location through function summaries. Swap
SsaFuncSummary.param_to_sink and FuncSummary.param_to_sink from a coarse
Cap map to a deduped SmallVec<[SinkSite; 1]> per parameter, with a
backward-compatible cap_sites() helper and serde defaults so pre-phase-1
on-disk rows continue to deserialise cleanly.

Extraction: SinkSiteLocator bundles the tree/bytes/file_rel needed by
extract_ssa_func_summary; ParsedFile::extract_ssa_artifacts wires the
locator in for the persisted pass-1 path, while pass-2 intra-file
transient summaries fall back to cap-only sites (behavior unchanged).
Merge: GlobalSummaries::insert now unions sink sites with
(file_rel, line, col, cap) dedup via shared union_param_sink_sites
helper.

Database: JSON-serialised summary columns carry the new shape
automatically; no schema change needed.

Phase 2 will consume SinkSite in build_taint_diag() to overwrite the
caller-site Finding.line with the callee's sink line when resolved via
summary. Phase 1 keeps behavior unchanged: scanning
tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs still produces the
same (wrong) line 10 finding.

Adds round-trip tests covering SinkSite solo, SsaFuncSummary with sink
sites, legacy-JSON default handling for both summary types, and merge
dedup.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* feat(taint): phase 2/5 thread SinkSite into SsaTaintEvent and Finding

Plumb Phase 1's SinkSite through the event pipeline into Findings,
no output change yet.  SsaTaintEvent gains `primary_sink_site:
Option<SinkSite>`; when the main or callback sink-emission path has
non-empty `param_to_sink_sites`, filter to sites whose
`(line != 0) && (cap ∩ sink_caps != ∅)` and emit one event per
distinct site — the multi-primary collapse keeps each downstream
Finding single-primary.

Resolution: ResolvedSummary and SinkInfo gain mirror
`param_to_sink_sites` fields, populated from `SsaFuncSummary.param_to_sink`
(SSA + callback paths) and `FuncSummary.param_to_sink` (global paths).
Label, local-summary, and interop resolution paths leave the field
empty — they only ever had cap-level info to begin with.

Finding: new `primary_location: Option<SinkLocation>` with
`file_rel/line/col`.  `ssa_events_to_findings` maps
`event.primary_sink_site` → `Finding.primary_location`, filtering
cap-only sites (`line == 0`) to `None` so the (0,0) sentinel never
leaks to formatters.  Dedup key extended with the primary location
so multi-site events aren't collapsed back together.

Invariants (debug_assert!):
* every SinkSite reaching emission has `line != 0 && cap ∩ sink_caps
  != ∅` — enforced by the pick_primary_sink_sites* filters;
* every populated Finding.primary_location has `line != 0` AND
  non-empty `file_rel` — the cap-only → None translation upstream
  guarantees this.

Deliberately independent of `uses_summary`: that flag tracks whether
the *taint chain* used a summary, whereas primary attribution
requires only that the *sink* itself was summary-resolved.  A local
source reaching a cross-file sink produces `uses_summary=false`
alongside a populated primary_location — documented on
Finding.primary_location, covered by
`cross_file_sink_finding_carries_primary_location`.

build_taint_diag, SARIF/JSON/explanation formatters, and the
benchmark scorer remain untouched: finding.line still comes from
`cfg_graph[finding.sink]`, so cmdi_indirect.rs still reports line 10
and the benchmark's rs-cmdi-003 row still shows FN in the LOC column.

Tests: `cross_file_sink_finding_carries_primary_location` (proves
plumbing via a synthetic FuncSummary carrying a SinkSite at 42:5) and
`cross_file_sink_cap_only_site_leaves_primary_location_none`
(regression guard against cap-only sites surfacing).  All 1566 lib
tests + integration tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(output): phase 3/5 consume primary sink location in diag + SARIF

When a finding's primary_location (populated in phase 2 from a callee
summary's SinkSite) names the dangerous instruction inside a callee
body, attribute the diagnostic line to that location instead of the
caller's call site. The call site is demoted to a Call step in
flow_steps, and a synthetic Sink step at the primary location is
appended so analysts still see the full trace.

Changes:
- Add scan_root parameter to build_taint_diag so file_rel can be
  resolved back to an absolute path via a shared resolve_file_rel
  helper. Empty file_rel (single-file scans where namespace == "")
  resolves to the file under analysis.
- Extend SinkLocation with snippet, carried from the upstream
  SinkSite so the formatter needs no second file read.
- Relax the ssa_events_to_findings debug_assert to allow empty
  file_rel, which is valid when scan root equals the file itself.
- SARIF: emit data-flow as codeFlows[0].threadFlows[0].locations[];
  locations[0] already reflects the primary sink position via the
  updated diag line/col.

Acceptance: scan on tests/benchmark/corpus/rust/cmdi/cmdi_indirect.rs
now reports line 5 (Command::new) as the primary sink, with the call
site at line 10 visible in flow_steps.

Two expect.json fixtures updated (must_match line_range widened):
- javascript/taint/context_sensitive_call: 12-14 -> 7-14 (line 8 is
  the real sink inside run()).
- rust/cfg/closure_async: 10-10 -> 10-11 (line 11 is Command::new
  inside the closure).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(bench): phase 4/5 validate primary sink attribution across corpus

Extend the benchmark scorer and ground truth to lock in phase 3's
primary-location behavior, and add fixtures that exercise the new
capability end-to-end.

Scorer (tests/benchmark_test.rs):
- Add optional `expected_call_site_lines: Option<Vec<[usize; 2]>>` on
  Case. When present, score_location_level additionally requires at
  least one flow_step in the finding's evidence trace to fall within
  ±2 of the call-site range. When absent, the check is skipped —
  fully forward-compatible with existing fixtures.
- Retain ±2 tolerance on expected_sink_lines (compared against the
  now-primary Diag.line post-phase-3).

Ground truth edits:
- rs-cmdi-cross-001: expected_sink_lines [8,8] -> [9,9]. Line 8 is the
  transform::wrap call site (a cross-file propagator, not a sink);
  line 9 is Command::new, the real sink. The ±2 tolerance happened to
  mask this stale attribution but it was semantically wrong — phase 4
  is the right time to correct it. Also adds expected_call_site_lines
  [8,8] so the new field is exercised on an existing cross-file case.
- rs-cmdi-003: adds expected_call_site_lines [10,10] (run_cmd call).
  This fixture's sink (Command::new inside run_cmd at line 5) was the
  motivating case for phases 1-3; adding the call-site assertion
  guards against regression to caller-line attribution.

New fixtures:
- rust/cmdi/cmdi_indirect_multisink.rs (rs-cmdi-009): helper run_both
  takes two tainted params and invokes two Command sinks on
  consecutive lines. Locks in that primary line lands inside the
  helper (lines 5-6), not at the caller (line 12). Notes document
  that SinkSite is currently one-per-callee so both findings today
  collapse onto the first sink; expected_sink_lines=[5,6] and
  expected_call_site_lines=[12,12] stay valid either way.
- python/cmdi/cross_indirect_sink/{app.py,helper.py} (py-cmdi-cross-
  004): sink os.system lives in helper.py (cross-file), caller in
  app.py reads env source and calls run_cmd. Verifies phase 3's
  cross-file primary attribution: Diag.path = helper.py, Diag.line =
  5, with app.py:7 recorded in flow_steps as a Call step.

Acceptance:
- `cargo test --test benchmark_test -- --ignored --nocapture` passes.
- rs-cmdi-003 is TP/TP/TP (the target flip FN->TP at LOC). All
  pre-existing TP/TP/TP fixtures remain TP/TP/TP; 2 new fixtures are
  TP/TP/TP.
- Aggregate rule-level: TP=158 FP=10 FN=1 TN=97, P=0.940 R=0.994
  F1=0.966 on the 266-case corpus (was TP=156 FP=10 FN=1 TN=97 on
  264 pre-phase-4, delta is the +2 new cases both resolving TP).
- Full `cargo test` green (1566 lib tests + all integration tests).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(taint): phase 5/5 lock Finding.primary_location contract via regression test

Add a regression test in src/taint/ssa_transfer.rs that wires up a synthetic
SsaFuncSummary with a SinkSite at other.rs:42:10 and drives the three
emission stages (pick_primary_sink_sites → emit_ssa_taint_events →
ssa_events_to_findings) against a minimal caller SSA body.  Asserts the
resulting Finding.primary_location is exactly that triple.

The existing integration tests in src/taint/tests.rs cover the coarse
FuncSummary path end-to-end through analyse_file.  This test locks in the
lower-level SSA-side plumbing so a future refactor that silently drops the
site between pick → emit → findings fails here rather than only at the
benchmark layer.

Also refreshes tests/benchmark/results/latest.json (timestamp only; rs-cmdi-003
remains TP/TP/TP and the aggregate P/R/F1 are unchanged from phase 4).

Closes the primary sink-location attribution feature (phases 1-5/5):
* Phase 1 — SinkSite data model on summaries.
* Phase 2 — SinkSite threaded into SsaTaintEvent and Finding.
* Phase 3 — diag + SARIF consume primary_location.
* Phase 4 — benchmark validates primary_call_site_lines across corpus.
* Phase 5 — regression test locks the event→finding contract.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor: clean up formatting and improve readability in multiple files

* refactor: simplify type definition for deduplication key in findings

* test(harness): add must_not_match expectation for FP regression guards

Extends ExpectedFinding with must_not_match field that asserts a
diagnostic must NOT fire — presence is a hard failure. Non-consuming
scan so it coexists with must_match entries on the same rule_id.
Adds forbidden_violations accumulator and updates summary line.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(regression): update expectations to ensure must_not_match for various taint and resource leak rules

* feat: implement auto-seeding for JS/TS handler parameters to enhance taint tracking

* feat: update switch statement handling to improve control flow analysis

* feat: implement promisify alias handling for JS/TS to enhance taint tracking

* feat: enhance taint tracking by refining expectation handling and adding mode filtering

* feat: refine SQL handling in stream processing and enhance auto-seeding for handler parameters

* feat: update taint tracking rules to enforce full mode matching and improve flow analysis

* feat: enhance Ruby subshell handling to improve taint tracking and flow analysis

* feat: update xss_response expectations to refine taint flow analysis and enhance regression guarding

* feat: refine framework detection and update expectation handling for Echo and Sinatra

* feat: implement max_count for taint tracking expectations and deduplicate findings

* feat: add strict_unexpected handling for taint-unsanitised-flow in expectation files

* feat: enhance deduplication of taint-unsanitised-flow findings by collapsing based on line and severity

* feat: add strict_unexpected handling for taint-unsanitised-flow in multiple expectation files

* feat: add structural invariant checks for SSA bodies

* feat: ensure deterministic phi emission order using BTreeSet

* feat: enhance handling of terminators to ensure authoritative flow through successor edges

* feat: enhance Goto terminator handling to ensure all successors are marked executable

* feat: refactor code for improved readability and organization

* feat: simplify predicate checks and enhance readability in SSA handling

* feat: implement per-file parse timeout and enhance file size handling

* feat: migrate analysis engine toggles from environment variables to configuration file

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: remove unnecessary whitespace in hostile_input_tests.rs

* feat: update dependencies and enhance documentation on language maturity

* feat: enhance security headers and improve request body limits

* feat: implement sink capability bits for deduplication and enhance evidence tagging

* feat: implement dynamic activation handling for gated sinks and enhance validation logic

* feat: enhance configuration documentation and clarify inline analysis cache behavior

* feat: implement panic recovery during analysis to continue scans past errors

* feat: add expectations configuration for taint analysis and performance metrics

* feat: enhance error handling and logging during file reading and mutex locking

* feat: add cross-file body loading tests and plumbing for CF-1 phase

* feat: implement cross-file k=1 context-sensitive inline taint analysis with new tests and fixtures

* feat: implement indexed-scan parity in cross-file inline analysis with new dropdown and copy functionality

* feat: enhance classification span handling in CFG and AST for improved source attribution

* feat: add new Express routes for handling user input and telemetry data

* feat: implement ternary expression handling in CFG with diamond structure for JS/TS

* feat: implement Phase CF-3 abstract-domain transfer channels in summaries

* feat: add support for string-prefix transfer in cross-file calls and update tests

* docs: reduce RESULTS.md doc size

* feat: implement Phase CF-4 per-return-path summary decomposition with tests

* feat: update parameter handling in pass1 and refactor SsaFuncSummary initialization

* feat: implement Phase CF-5 for cross-file SCC joint fixed-point convergence with new flags and tests

* feat: implement Phase CF-6 with parameter-granularity points-to summaries and associated tests

* refactor: update comments and documentation for clarity and consistency

* style: format code for consistency and readability

* refactor: simplify verdict handling and improve edge checking logic

* refactor: optimize path and identifier collection by avoiding unnecessary cloning

* chore: update Cargo.toml for Rust version 1.85 and add ignored files; modify CHANGELOG and README for clarity on state analysis defaults

* refactor: update documentation and improve clarity in configuration files

* refactor: update documentation and improve clarity in configuration files

* feat: add JS/TS pass-2 convergence tests and expectations configuration

* feat: add Phase 5 regression tests for inline cache origin attribution and update related logic

* feat: implement Phase 7 deduplication and alternative path linking for taint findings

* feat: implement structural DFS index for anonymous functions and update naming conventions

* feat: add Phase 8 regression tests for container-element taint in JS and Python

* feat: add engine-depth profiles and explain-engine option for CLI

* feat: update expectations and add new README fixtures for multi-file scan regression

* feat: implement Phase 11 callback-alias and factory patterns with regression tests

* feat: implement Terminator::Switch for multi-way dispatch and add regression tests

* feat: add real-CVE benchmark fixtures for CVE-2023-48022, CVE-2019-14939, and CVE-2023-26159 with corresponding patched variants

* refactor: extract cfg and ssa_transfer to submodules

* refactor: cargo fmt

* refactor: remove unnecessary blank line in cfg_tests.rs

* refactor: remove unnecessary planning file

* chore: update Rust version to 1.88 and bump dependencies in Cargo files

* feat: enhance triage UI with new layout and controls, update README for clarity

* feat: enhance triage UI with new layout and controls, update README for clarity

* chore: remove outdated section from README for version 0.5.0

* docs: improve clarity and consistency in README content

* chore: add "GPL-3.0-or-later" to license options in about.toml

* chore: update license handling in about.toml and check-licenses.mjs

* style: format code for improved readability in TriagePage component

* style: format code for improved readability in TriagePage component

* chore: enhance license handling and improve body_id scoping in seed lookup

* feat: introduce owner and parent body IDs for enhanced seed scoping

* feat: implement direction-aware engine provenance with new CLI flag for strict CI gating

* feat: add Undef SSA operation for improved control-flow handling

* style: improve code formatting for consistency and readability in multiple files

* feat: add 16-function chain SCC across multiple files for enhanced analysis

* style: simplify code formatting for improved readability in multiple files

* fix: update CapHitReason default implementation and improve README clarity

* docs: enhance README with detailed explanations of taint analysis and limitations

* docs: refine README for clarity and consistency in taint analysis section

* style: improve code formatting for better readability in NewScanModal and scans

* fix: update cargo-about command to use --offline for deterministic license generation

* fix: update cargo-about command to use --offline for deterministic license generation

* ci: add step to prime cargo registry cache for deterministic license generation

* feat: add support for non-sink collections in authorization analysis

* feat: enhance authorization checks with row-level ownership equality and binding tracking

* feat: implement self-scoped user handling and enhance ownership checks

* refactor: simplify assertions and formatting in authorization analysis tests

* fix: normalize line endings in THIRDPARTY-LICENSES.html generation and update README with AI disclosure

* docs: update AI disclosure section for clarity and conciseness

* feat: add AI Contribution Policy and update contributing guidelines for AI assistance disclosure

* feat: enhance authorization analysis with SSA-derived variable type classification

* feat: implement auth_finding_to_diag function for enhanced security diagnostics

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add args_value_refs to CallSite struct for enhanced argument tracking

* feat: add direction-aware engine provenance with LossDirection classification and new CLI flag

* feat: simplify strip_cap_from_call_args call by removing unnecessary line breaks

* feat: enhance error message handling in cli_validation_tests for better Windows compatibility

* feat: optimize release profile settings in Cargo.toml and update CodeQL configuration

* feat: enhance release build process with SBOM generation and SLSA provenance

* feat: update actions/checkout and actions/setup-node to v6, enhance CLI options, and improve auth-check summaries

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: introduce PathFact handling for path safety checks and rejection logic

* feat: update benchmark data and enhance path sanitization logic with new safety checks

* feat: document AI assistance in frontend UI development and human review process

* feat: add return path facts for enhanced path safety checks and update documentation

* chore: update release date for version 0.5.0 in CHANGELOG.md

* chore: clean up ci.yml by removing outdated comments and clarifying steps

* feat: implement cross-language path sanitizers and validators for enhanced security

* feat: enhance SSA value usage tracking by including block terminators and improve path safety checks

* feat: enhance switch statement handling by adding per-case path constraints and support for exclusive cases

* refactor: simplify conditional formatting and improve code readability in executor and lower modules

* feat: add vulnerable examples for various languages demonstrating authentication and sanitization issues

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: enhance actor context recognition for self-actor identifiers and add support for global non-sink receivers

* feat: add transform classifiers for Java, Go, and Ruby with corresponding tests

* refactor: clarify comments on reassign-to-constant idiom and sink behavior in guards.rs

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Eli Peter 2026-04-25 17:59:11 -04:00 committed by GitHub
parent c4ce08b452
commit 41128177d2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2144 changed files with 201812 additions and 8927 deletions
Download patch file Download diff file Expand all files Collapse all files

273
src/auth_analysis/extract/actix_web.rs Normal file
View file

@ -0,0 +1,273 @@
use super::AuthExtractor;
use super::axum::{
GuardFramework, apply_aliases, dedup_call_sites, expanded_guard_call_sites,
guard_calls_for_handler, inject_guard_checks, rust_param_aliases,
};
use super::common::{
attach_route_handler, call_name, collect_top_level_units, named_children, resolve_handler_node,
string_literal_value,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{
AuthorizationModel, CallSite, Framework, HttpMethod, RouteRegistration,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct ActixWebExtractor;
impl AuthExtractor for ActixWebExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "rust"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::ActixWeb))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
collect_routes(root, root, bytes, path, rules, &mut model);
model
}
}
fn collect_routes(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_routes(root, child, bytes, path, rules, model);
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if call_name(node, bytes).rsplit('.').next() != Some("route") {
return;
}
let receiver = node.child_by_field_name("function").and_then(|function| {
function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
});
let receiver_spec = receiver
.map(|r| parse_service_receiver(r, bytes))
.unwrap_or_default();
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let (route_suffix, builder_node) = if args.len() >= 2 {
let Some(route_path) = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
else {
return;
};
let Some(builder_node) = args.get(1).copied() else {
return;
};
(route_path, builder_node)
} else if args.len() == 1 && !receiver_spec.resource_path.is_empty() {
(String::new(), args[0])
} else {
return;
};
let Some(spec) = parse_route_builder(builder_node, bytes) else {
return;
};
let Some(handler_node) = resolve_handler_node(root, spec.handler_expr, bytes) else {
return;
};
let Some(handler) = attach_route_handler(
root,
spec.handler_expr,
format!(
"{:?} {}",
spec.method,
join_paths(
&join_paths(&receiver_spec.scope_prefix, &receiver_spec.resource_path),
&route_suffix
)
),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = receiver_spec.middleware_calls;
middleware_calls.extend(spec.middleware_calls);
let guard_calls =
guard_calls_for_handler(handler_node, &route_suffix, bytes, GuardFramework::ActixWeb);
middleware_calls.extend(guard_calls.clone());
dedup_call_sites(&mut middleware_calls);
if let Some(unit) = model.units.get_mut(handler.unit_idx) {
let aliases =
rust_param_aliases(handler_node, &route_suffix, bytes, GuardFramework::ActixWeb);
apply_aliases(unit, &aliases);
inject_guard_checks(unit, &guard_calls, rules);
}
model.routes.push(RouteRegistration {
framework: Framework::ActixWeb,
method: spec.method,
path: join_paths(
&join_paths(&receiver_spec.scope_prefix, &receiver_spec.resource_path),
&route_suffix,
),
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span: handler.span,
handler_params: handler.params,
file: path.to_path_buf(),
line: handler.line,
unit_idx: handler.unit_idx,
middleware_calls,
});
}
#[derive(Default)]
struct ReceiverSpec {
scope_prefix: String,
resource_path: String,
middleware_calls: Vec<CallSite>,
}
fn parse_service_receiver(node: Node<'_>, bytes: &[u8]) -> ReceiverSpec {
if node.kind() != "call_expression" {
return ReceiverSpec::default();
}
let name = call_name(node, bytes);
let method = name.rsplit('.').next().unwrap_or_default();
let receiver = node.child_by_field_name("function").and_then(|function| {
function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
});
let mut spec = receiver
.map(|receiver| parse_service_receiver(receiver, bytes))
.unwrap_or_default();
match method {
"scope" => {
if let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(prefix) = named_children(arguments)
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
{
spec.scope_prefix = join_paths(&spec.scope_prefix, &prefix);
}
}
"resource" => {
if let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(path) = named_children(arguments)
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
{
spec.resource_path = path;
}
}
"wrap" | "guard" => {
if let Some(arguments) = node.child_by_field_name("arguments") {
for arg in named_children(arguments) {
spec.middleware_calls
.extend(expanded_guard_call_sites(arg, bytes));
}
}
}
_ => {}
}
spec
}
struct BuilderSpec<'tree> {
method: HttpMethod,
handler_expr: Node<'tree>,
middleware_calls: Vec<CallSite>,
}
fn parse_route_builder<'tree>(node: Node<'tree>, bytes: &[u8]) -> Option<BuilderSpec<'tree>> {
let name = call_name(node, bytes);
let method = name.rsplit('.').next().unwrap_or_default();
if matches!(method, "to" | "guard") {
let receiver = node.child_by_field_name("function").and_then(|function| {
function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
})?;
let mut spec = parse_route_builder(receiver, bytes)?;
if method == "to" {
let args = node
.child_by_field_name("arguments")
.map(named_children)
.unwrap_or_default();
spec.handler_expr = *args.last()?;
} else if let Some(arguments) = node.child_by_field_name("arguments") {
for arg in named_children(arguments) {
spec.middleware_calls
.extend(expanded_guard_call_sites(arg, bytes));
}
}
return Some(spec);
}
let method = actix_http_method(method)?;
Some(BuilderSpec {
method,
handler_expr: node,
middleware_calls: Vec::new(),
})
}
fn actix_http_method(name: &str) -> Option<HttpMethod> {
match name {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
_ => None,
}
}
fn join_paths(prefix: &str, route: &str) -> String {
match (prefix.trim_end_matches('/'), route.trim_start_matches('/')) {
("", "") => "/".to_string(),
("", route) => format!("/{route}"),
(prefix, "") => prefix.to_string(),
(prefix, route) => format!("{prefix}/{route}"),
}
}

617
src/auth_analysis/extract/axum.rs Normal file
View file

@ -0,0 +1,617 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_name, call_site_from_node, call_sites_from_value,
collect_top_level_units, function_definition_node, named_children, resolve_handler_node,
string_literal_value, text,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{
AuthCheck, AuthCheckKind, AuthorizationModel, CallSite, Framework, HttpMethod,
RouteRegistration, ValueRef, ValueSourceKind,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct AxumExtractor;
impl AuthExtractor for AxumExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "rust"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Axum))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
collect_routes(root, root, bytes, path, rules, &mut model);
model
}
}
fn collect_routes(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_routes(root, child, bytes, path, rules, model);
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if call_name(node, bytes).rsplit('.').next() != Some("route") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some(route_spec) = args.get(1).copied() else {
return;
};
let Some(spec) = parse_method_router(route_spec, bytes) else {
return;
};
let Some(handler_node) = resolve_handler_node(root, spec.handler_expr, bytes) else {
return;
};
let Some(handler) = attach_route_handler(
root,
spec.handler_expr,
format!("{:?} {}", spec.method, route_path),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = inherited_layer_calls(node, bytes);
middleware_calls.extend(spec.middleware_calls.clone());
let guard_calls =
guard_calls_for_handler(handler_node, &route_path, bytes, GuardFramework::Axum);
middleware_calls.extend(guard_calls.clone());
dedup_call_sites(&mut middleware_calls);
if let Some(unit) = model.units.get_mut(handler.unit_idx) {
let aliases = rust_param_aliases(handler_node, &route_path, bytes, GuardFramework::Axum);
apply_aliases(unit, &aliases);
inject_guard_checks(unit, &guard_calls, rules);
}
model.routes.push(RouteRegistration {
framework: Framework::Axum,
method: spec.method,
path: route_path,
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span: handler.span,
handler_params: handler.params,
file: path.to_path_buf(),
line: handler.line,
unit_idx: handler.unit_idx,
middleware_calls,
});
}
struct MethodRouterSpec<'tree> {
method: HttpMethod,
handler_expr: Node<'tree>,
middleware_calls: Vec<CallSite>,
}
fn parse_method_router<'tree>(node: Node<'tree>, bytes: &[u8]) -> Option<MethodRouterSpec<'tree>> {
let last = call_name(node, bytes).rsplit('.').next()?.to_string();
if let Some(method) = axum_http_method(&last) {
let args = node
.child_by_field_name("arguments")
.map(named_children)
.unwrap_or_default();
let handler_expr = *args.last()?;
return Some(MethodRouterSpec {
method,
handler_expr,
middleware_calls: Vec::new(),
});
}
if node.kind() != "call_expression" {
return None;
}
let function = node.child_by_field_name("function")?;
let receiver = function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))?;
let mut spec = parse_method_router(receiver, bytes)?;
match last.as_str() {
"layer" | "route_layer" => {
if let Some(arguments) = node.child_by_field_name("arguments") {
for arg in named_children(arguments) {
spec.middleware_calls
.extend(expanded_guard_call_sites(arg, bytes));
}
}
Some(spec)
}
_ => None,
}
}
fn axum_http_method(name: &str) -> Option<HttpMethod> {
match name {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
"any" => Some(HttpMethod::All),
_ => None,
}
}
fn inherited_layer_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let Some(function) = node.child_by_field_name("function") else {
return Vec::new();
};
let Some(receiver) = function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
else {
return Vec::new();
};
collect_layer_calls(receiver, bytes)
}
fn collect_layer_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
if node.kind() != "call_expression" {
return Vec::new();
}
let mut calls = Vec::new();
let name = call_name(node, bytes);
if matches!(name.rsplit('.').next(), Some("layer" | "route_layer"))
&& let Some(arguments) = node.child_by_field_name("arguments")
{
for arg in named_children(arguments) {
calls.extend(expanded_guard_call_sites(arg, bytes));
}
}
if let Some(function) = node.child_by_field_name("function")
&& let Some(receiver) = function
.child_by_field_name("object")
.or_else(|| function.child_by_field_name("argument"))
{
calls.extend(collect_layer_calls(receiver, bytes));
}
calls
}
#[derive(Clone, Copy)]
pub(crate) enum GuardFramework {
Axum,
ActixWeb,
Rocket,
}
pub(crate) fn rust_param_aliases(
handler_node: Node<'_>,
route_path: &str,
bytes: &[u8],
framework: GuardFramework,
) -> HashMap<String, ValueSourceKind> {
let mut aliases = HashMap::new();
let Some(parameters) = function_definition_node(handler_node).child_by_field_name("parameters")
else {
return aliases;
};
let path_names = route_placeholder_names(route_path);
let query_names = route_query_placeholder_names(route_path);
for param in named_children(parameters) {
let param_text = text(param, bytes);
if param.kind() == "self_parameter" || param_text.trim().is_empty() {
continue;
}
let binding = rust_binding_name(&param_text);
let type_text = rust_param_type_text(param, bytes, &param_text);
if binding.is_empty() || type_text.is_empty() {
continue;
}
let kind = match framework {
GuardFramework::Axum => classify_axum_param(&binding, &type_text),
GuardFramework::ActixWeb => classify_actix_param(&binding, &type_text),
GuardFramework::Rocket => {
classify_rocket_param(&binding, &type_text, &path_names, &query_names)
}
};
if let Some(kind) = kind {
aliases.insert(binding, kind);
}
}
aliases
}
pub(crate) fn guard_calls_for_handler(
handler_node: Node<'_>,
route_path: &str,
bytes: &[u8],
framework: GuardFramework,
) -> Vec<CallSite> {
let mut calls = Vec::new();
let Some(parameters) = function_definition_node(handler_node).child_by_field_name("parameters")
else {
return calls;
};
let span = (handler_node.start_byte(), handler_node.end_byte());
let path_names = route_placeholder_names(route_path);
let query_names = route_query_placeholder_names(route_path);
for param in named_children(parameters) {
let param_text = text(param, bytes);
if param.kind() == "self_parameter" || param_text.trim().is_empty() {
continue;
}
let type_text = rust_param_type_text(param, bytes, &param_text);
let Some(kind) = (match framework {
GuardFramework::Axum => classify_guard_type(&type_text),
GuardFramework::ActixWeb => classify_guard_type(&type_text),
GuardFramework::Rocket => classify_rocket_guard_type(
&type_text,
&rust_binding_name(&param_text),
&path_names,
&query_names,
),
}) else {
continue;
};
let name = type_last_segment(&type_text);
if !name.is_empty() {
calls.push(CallSite {
name,
args: Vec::new(),
span,
args_value_refs: Vec::new(),
});
if matches!(kind, AuthCheckKind::AdminGuard) {
calls.push(CallSite {
name: "require_admin".to_string(),
args: Vec::new(),
span,
args_value_refs: Vec::new(),
});
}
}
}
dedup_call_sites(&mut calls);
calls
}
fn classify_axum_param(binding: &str, type_text: &str) -> Option<ValueSourceKind> {
if wrapper_type_matches(type_text, &["Path"]) {
Some(ValueSourceKind::RequestParam)
} else if wrapper_type_matches(type_text, &["Query"]) {
Some(ValueSourceKind::RequestQuery)
} else if wrapper_type_matches(type_text, &["Json", "Form"]) {
Some(ValueSourceKind::RequestBody)
} else if wrapper_type_matches(type_text, &["State", "Extension"]) || binding == "session" {
Some(ValueSourceKind::Session)
} else {
None
}
}
fn classify_actix_param(binding: &str, type_text: &str) -> Option<ValueSourceKind> {
if wrapper_type_matches(type_text, &["Path"]) {
Some(ValueSourceKind::RequestParam)
} else if wrapper_type_matches(type_text, &["Query"]) {
Some(ValueSourceKind::RequestQuery)
} else if wrapper_type_matches(type_text, &["Json", "Form"]) {
Some(ValueSourceKind::RequestBody)
} else if wrapper_type_matches(type_text, &["Session", "Identity", "ReqData"])
|| binding == "session"
{
Some(ValueSourceKind::Session)
} else {
None
}
}
fn classify_rocket_param(
binding: &str,
type_text: &str,
path_names: &[String],
query_names: &[String],
) -> Option<ValueSourceKind> {
if wrapper_type_matches(type_text, &["Json", "Form"]) {
Some(ValueSourceKind::RequestBody)
} else if wrapper_type_matches(type_text, &["State", "Session"]) || binding == "session" {
Some(ValueSourceKind::Session)
} else if query_names.iter().any(|name| name == binding) {
Some(ValueSourceKind::RequestQuery)
} else if path_names.iter().any(|name| name == binding) {
Some(ValueSourceKind::RequestParam)
} else {
None
}
}
fn classify_guard_type(type_text: &str) -> Option<AuthCheckKind> {
let lower = type_text.to_ascii_lowercase();
if is_extractor_wrapper(&lower) {
return None;
}
if lower.contains("admin") {
Some(AuthCheckKind::AdminGuard)
} else if lower.contains("user")
|| lower.contains("auth")
|| lower.contains("session")
|| lower.contains("identity")
{
Some(AuthCheckKind::LoginGuard)
} else {
None
}
}
fn classify_rocket_guard_type(
type_text: &str,
binding: &str,
path_names: &[String],
query_names: &[String],
) -> Option<AuthCheckKind> {
if path_names.iter().any(|name| name == binding)
|| query_names.iter().any(|name| name == binding)
{
return None;
}
classify_guard_type(type_text)
}
fn is_extractor_wrapper(lower: &str) -> bool {
lower.contains("path<")
|| lower.contains("query<")
|| lower.contains("json<")
|| lower.contains("form<")
|| lower.contains("state<")
|| lower.contains("extension<")
|| lower.contains("web::")
}
fn wrapper_type_matches(type_text: &str, wrappers: &[&str]) -> bool {
let normalized = type_text.replace(' ', "");
wrappers.iter().any(|wrapper| {
normalized.contains(&format!("{wrapper}<")) || normalized.contains(&format!("::{wrapper}<"))
})
}
fn rust_binding_name(param_text: &str) -> String {
let before_colon = param_text.split(':').next().unwrap_or(param_text).trim();
let tokens: Vec<&str> = before_colon
.split(|ch: char| !(ch.is_ascii_alphanumeric() || ch == '_'))
.filter(|token| !token.is_empty() && *token != "mut")
.collect();
tokens.last().copied().unwrap_or_default().to_string()
}
fn rust_param_type_text(param: Node<'_>, bytes: &[u8], param_text: &str) -> String {
param
.child_by_field_name("type")
.map(|node| text(node, bytes))
.or_else(|| {
param_text
.split_once(':')
.map(|(_, ty)| ty.trim().to_string())
})
.unwrap_or_default()
}
fn route_placeholder_names(route_path: &str) -> Vec<String> {
route_path
.split(['/', '<', '>', ':', '{', '}'])
.filter(|segment| !segment.is_empty())
.filter(|segment| !segment.contains('?'))
.filter(|segment| {
route_path.contains(&format!("<{segment}>"))
|| route_path.contains(&format!(":{segment}"))
|| route_path.contains(&format!("{{{segment}}}"))
})
.map(|segment| segment.to_string())
.collect()
}
fn route_query_placeholder_names(route_path: &str) -> Vec<String> {
let Some((_, query)) = route_path.split_once('?') else {
return Vec::new();
};
query
.split('&')
.filter_map(|segment| {
if let Some(name) = segment.strip_prefix('<').and_then(|s| s.strip_suffix('>')) {
Some(name.to_string())
} else {
segment
.split('=')
.next()
.map(str::trim)
.filter(|name| !name.is_empty())
.map(|name| name.to_string())
}
})
.collect()
}
fn type_last_segment(type_text: &str) -> String {
type_text
.trim_start_matches('&')
.split(|ch: char| !(ch.is_ascii_alphanumeric() || ch == '_' || ch == ':'))
.find(|segment| !segment.is_empty())
.and_then(|segment| segment.rsplit("::").next())
.unwrap_or_default()
.to_string()
}
pub(crate) fn expanded_guard_call_sites(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let mut calls = call_sites_from_value(node, bytes);
if node.kind() == "call_expression" {
let name = call_name(node, bytes);
if matches!(
name.rsplit('.').next(),
Some("from_fn" | "from_fn_with_state" | "wrap_fn" | "fn_guard")
) && let Some(arguments) = node.child_by_field_name("arguments")
{
for arg in named_children(arguments) {
let inner = call_site_from_node(arg, bytes);
if !inner.name.is_empty() {
calls.push(inner);
}
}
}
}
dedup_call_sites(&mut calls);
calls
}
pub(crate) fn dedup_call_sites(calls: &mut Vec<CallSite>) {
let mut deduped = Vec::new();
for call in calls.drain(..) {
if !deduped.iter().any(|existing: &CallSite| {
existing.name == call.name && existing.span == call.span && existing.args == call.args
}) {
deduped.push(call);
}
}
*calls = deduped;
}
pub(crate) fn apply_aliases(
unit: &mut crate::auth_analysis::model::AnalysisUnit,
aliases: &HashMap<String, ValueSourceKind>,
) {
for value in &mut unit.value_refs {
apply_alias_to_value(value, aliases);
}
for check in &mut unit.auth_checks {
for subject in &mut check.subjects {
apply_alias_to_value(subject, aliases);
}
}
for op in &mut unit.operations {
for subject in &mut op.subjects {
apply_alias_to_value(subject, aliases);
}
}
unit.context_inputs = unit
.value_refs
.iter()
.filter(|value| {
matches!(
value.source_kind,
ValueSourceKind::RequestParam
| ValueSourceKind::RequestBody
| ValueSourceKind::RequestQuery
| ValueSourceKind::Session
)
})
.cloned()
.collect();
}
fn apply_alias_to_value(value: &mut ValueRef, aliases: &HashMap<String, ValueSourceKind>) {
let root = value
.base
.as_deref()
.and_then(first_identifier)
.or_else(|| first_identifier(&value.name));
let Some(root) = root else {
return;
};
let Some(kind) = aliases.get(root) else {
return;
};
if value.source_kind == ValueSourceKind::ArrayIndex && *kind != ValueSourceKind::Session {
return;
}
value.source_kind = *kind;
}
fn first_identifier(input: &str) -> Option<&str> {
let mut end = input.len();
for (idx, ch) in input.char_indices() {
if !(ch.is_ascii_alphanumeric() || ch == '_') {
end = idx;
break;
}
}
if end == 0 { None } else { Some(&input[..end]) }
}
pub(crate) fn inject_guard_checks(
unit: &mut crate::auth_analysis::model::AnalysisUnit,
guard_calls: &[CallSite],
rules: &AuthAnalysisRules,
) {
let line = unit.line;
for call in guard_calls {
let kind = if rules.is_admin_guard(&call.name, &call.args) {
AuthCheckKind::AdminGuard
} else if rules.is_login_guard(&call.name) {
AuthCheckKind::LoginGuard
} else {
continue;
};
unit.auth_checks.push(AuthCheck {
kind,
callee: call.name.clone(),
subjects: Vec::new(),
span: call.span,
line,
args: call.args.clone(),
condition_text: None,
});
}
}

2480
src/auth_analysis/extract/common.rs Normal file
View file

File diff suppressed because it is too large Load diff

449
src/auth_analysis/extract/django.rs Normal file
View file

@ -0,0 +1,449 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, call_site_from_node,
decorated_definition_child, member_chain, named_children, push_route_registration, span,
string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name};
use crate::auth_analysis::extract::common::{attach_route_handler, collect_top_level_units};
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct DjangoExtractor;
impl AuthExtractor for DjangoExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "python"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Django))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call" {
maybe_collect_django_path(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_django_path(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let callee = text(function, bytes);
let target = callee.rsplit('.').next().unwrap_or(&callee);
if !matches!(target, "path" | "re_path") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(route_path) = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
else {
return;
};
let Some(handler_expr) = args.get(1).copied() else {
return;
};
if let Some(class_name) = as_view_class_name(handler_expr, bytes) {
collect_class_based_routes(root, &class_name, &route_path, bytes, path, rules, model);
return;
}
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("All {}", route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = function_view_middleware(root, handler_expr, bytes);
inject_middleware_auth(
model,
handler.unit_idx,
handler.line,
&middleware_calls,
rules,
);
for method in function_view_methods(root, handler_expr, bytes) {
push_route_registration(
model,
Framework::Django,
method,
route_path.clone(),
path,
super::common::ResolvedHandler {
unit_idx: handler.unit_idx,
span: handler.span,
params: handler.params.clone(),
line: handler.line,
},
middleware_calls.clone(),
);
}
}
fn function_view_middleware(root: Node<'_>, handler_expr: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let Some(handler_node) = resolve_function_node(root, handler_expr, bytes) else {
return Vec::new();
};
if handler_node.kind() != "decorated_definition" {
return Vec::new();
}
decorator_expressions(handler_node)
.into_iter()
.filter(|decorator| http_methods_from_decorator(*decorator, bytes).is_none())
.flat_map(|decorator| expand_decorator_calls(decorator, bytes))
.collect()
}
fn function_view_methods(root: Node<'_>, handler_expr: Node<'_>, bytes: &[u8]) -> Vec<HttpMethod> {
let Some(handler_node) = resolve_function_node(root, handler_expr, bytes) else {
return vec![HttpMethod::All];
};
if handler_node.kind() != "decorated_definition" {
return vec![HttpMethod::All];
}
let mut methods = Vec::new();
for decorator in decorator_expressions(handler_node) {
if let Some(found) = http_methods_from_decorator(decorator, bytes) {
methods.extend(found);
}
}
if methods.is_empty() {
vec![HttpMethod::All]
} else {
methods
}
}
fn collect_class_based_routes(
root: Node<'_>,
class_name: &str,
route_path: &str,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(class_node) = find_top_level_class_node(root, class_name, bytes) else {
return;
};
let Some(class_definition) = class_definition_node(class_node) else {
return;
};
let class_middleware = class_middleware_calls(class_node, class_definition, bytes);
let Some(body) = class_definition.child_by_field_name("body") else {
return;
};
for child in named_children(body) {
let method_node =
if child.kind() == "function_definition" || child.kind() == "decorated_definition" {
Some(child)
} else {
None
};
let Some(method_node) = method_node else {
continue;
};
let method_name = function_name(method_node, bytes).unwrap_or_default();
let Some(http_method) = method_name_to_http_method(&method_name) else {
continue;
};
let route_name = format!("{class_name}.{method_name}");
let unit_idx = model.units.len();
let mut unit = build_function_unit(
method_node,
AnalysisUnitKind::RouteHandler,
Some(route_name.clone()),
bytes,
rules,
);
let mut middleware_calls = class_middleware.clone();
if method_node.kind() == "decorated_definition" {
for decorator in decorator_expressions(method_node) {
if http_methods_from_decorator(decorator, bytes).is_none() {
middleware_calls.extend(expand_decorator_calls(decorator, bytes));
}
}
}
let line = method_node.start_position().row + 1;
for call in &middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
let handler_span = span(method_node);
let handler_params = unit.params.clone();
model.units.push(unit);
push_route_registration(
model,
Framework::Django,
http_method,
route_path.to_string(),
path,
super::common::ResolvedHandler {
unit_idx,
span: handler_span,
params: handler_params,
line,
},
middleware_calls,
);
}
}
fn class_middleware_calls(
class_node: Node<'_>,
class_definition: Node<'_>,
bytes: &[u8],
) -> Vec<CallSite> {
let mut calls = Vec::new();
if class_node.kind() == "decorated_definition" {
for decorator in decorator_expressions(class_node) {
calls.extend(expand_decorator_calls(decorator, bytes));
}
}
if let Some(superclasses) = class_definition.child_by_field_name("superclasses") {
for superclass in named_children(superclasses) {
calls.push(call_site_from_node(superclass, bytes));
}
}
calls
}
fn resolve_function_node<'tree>(
root: Node<'tree>,
handler_expr: Node<'tree>,
bytes: &[u8],
) -> Option<Node<'tree>> {
if matches!(handler_expr.kind(), "identifier" | "attribute") {
let candidate = text(handler_expr, bytes);
let name = candidate.rsplit('.').next().unwrap_or(&candidate);
find_top_level_function_node(root, name, bytes)
} else if handler_expr.kind() == "decorated_definition"
|| handler_expr.kind() == "function_definition"
{
Some(handler_expr)
} else {
None
}
}
fn find_top_level_function_node<'tree>(
root: Node<'tree>,
name: &str,
bytes: &[u8],
) -> Option<Node<'tree>> {
for child in named_children(root) {
match child.kind() {
"function_definition" if function_name(child, bytes).as_deref() == Some(name) => {
return Some(child);
}
"decorated_definition" => {
if let Some(definition) = decorated_definition_child(child)
&& definition.kind() == "function_definition"
&& function_name(child, bytes).as_deref() == Some(name)
{
return Some(child);
}
}
_ => {}
}
}
None
}
fn find_top_level_class_node<'tree>(
root: Node<'tree>,
name: &str,
bytes: &[u8],
) -> Option<Node<'tree>> {
for child in named_children(root) {
match child.kind() {
"class_definition" if class_name(child, bytes).as_deref() == Some(name) => {
return Some(child);
}
"decorated_definition" => {
if let Some(definition) = decorated_definition_child(child)
&& definition.kind() == "class_definition"
&& class_name(child, bytes).as_deref() == Some(name)
{
return Some(child);
}
}
_ => {}
}
}
None
}
fn class_definition_node(node: Node<'_>) -> Option<Node<'_>> {
if node.kind() == "class_definition" {
Some(node)
} else {
decorated_definition_child(node).filter(|child| child.kind() == "class_definition")
}
}
fn class_name(node: Node<'_>, bytes: &[u8]) -> Option<String> {
class_definition_node(node)?
.child_by_field_name("name")
.map(|name| text(name, bytes))
}
fn function_name(node: Node<'_>, bytes: &[u8]) -> Option<String> {
let definition = if node.kind() == "decorated_definition" {
decorated_definition_child(node)?
} else {
node
};
definition
.child_by_field_name("name")
.map(|name| text(name, bytes))
}
fn as_view_class_name(handler_expr: Node<'_>, bytes: &[u8]) -> Option<String> {
if handler_expr.kind() != "call" {
return None;
}
let function = handler_expr.child_by_field_name("function")?;
let chain = member_chain(function, bytes);
if chain.len() >= 2 && chain.last().is_some_and(|segment| segment == "as_view") {
return Some(chain[chain.len() - 2].clone());
}
None
}
fn method_name_to_http_method(name: &str) -> Option<HttpMethod> {
match name.to_ascii_lowercase().as_str() {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
"dispatch" => Some(HttpMethod::All),
_ => None,
}
}
fn http_methods_from_decorator(node: Node<'_>, bytes: &[u8]) -> Option<Vec<HttpMethod>> {
if node.kind() == "call" {
let name = text(node.child_by_field_name("function")?, bytes);
if matches_name(&name, "require_http_methods") {
let arguments = node.child_by_field_name("arguments")?;
let first = named_children(arguments).first().copied()?;
let mut methods = Vec::new();
for child in named_children(first) {
if let Some(method) = string_literal_value(child, bytes)
.as_deref()
.and_then(http_method)
{
methods.push(method);
}
}
return Some(methods);
}
}
let call = call_site_from_node(node, bytes);
match call.name.rsplit('.').next().unwrap_or(&call.name) {
"require_GET" => Some(vec![HttpMethod::Get]),
"require_POST" => Some(vec![HttpMethod::Post]),
"require_PUT" => Some(vec![HttpMethod::Put]),
"require_DELETE" => Some(vec![HttpMethod::Delete]),
"require_PATCH" => Some(vec![HttpMethod::Patch]),
_ => None,
}
}
fn http_method(value: &str) -> Option<HttpMethod> {
match value.to_ascii_lowercase().as_str() {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
_ => None,
}
}
fn decorator_expressions(node: Node<'_>) -> Vec<Node<'_>> {
named_children(node)
.into_iter()
.filter(|child| child.kind() == "decorator")
.filter_map(|decorator| named_children(decorator).into_iter().next())
.collect()
}
fn expand_decorator_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
if node.kind() == "call" {
let call = call_site_from_node(node, bytes);
if matches_name(&call.name, "method_decorator")
&& let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(first) = named_children(arguments).first().copied()
{
return vec![call_site_from_node(first, bytes)];
}
return vec![call];
}
vec![call_site_from_node(node, bytes)]
}
fn inject_middleware_auth(
model: &mut AuthorizationModel,
unit_idx: usize,
line: usize,
middleware_calls: &[CallSite],
rules: &AuthAnalysisRules,
) {
let Some(unit) = model.units.get_mut(unit_idx) else {
return;
};
for call in middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
}

209
src/auth_analysis/extract/echo.rs Normal file
View file

@ -0,0 +1,209 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, join_route_paths, member_target, named_children, push_route_registration,
string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct EchoExtractor;
impl AuthExtractor for EchoExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "go"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Echo))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
let mut groups = HashMap::new();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| match node.kind() {
"short_var_declaration" | "assignment_statement" => {
maybe_collect_group_binding(node, bytes, &mut groups)
}
"call_expression" => {
maybe_collect_group_use(node, bytes, &mut groups);
maybe_collect_route(root, node, bytes, path, rules, &groups, &mut model);
}
_ => {}
});
model
}
}
#[derive(Clone, Default)]
struct GroupSpec {
path_prefix: String,
middleware_calls: Vec<CallSite>,
}
fn maybe_collect_group_binding(
node: Node<'_>,
bytes: &[u8],
groups: &mut HashMap<String, GroupSpec>,
) {
let Some(left) = node.child_by_field_name("left") else {
return;
};
let Some(right) = node.child_by_field_name("right") else {
return;
};
let Some(group_call) = named_children(right)
.into_iter()
.find(|child| child.kind() == "call_expression" && is_group_call(*child, bytes))
else {
return;
};
let Some(group_name) = named_children(left)
.into_iter()
.find(|child| child.kind() == "identifier")
.map(|child| text(child, bytes))
else {
return;
};
let Some((base_name, path_prefix, middleware_calls)) = parse_group_call(group_call, bytes)
else {
return;
};
let base = groups.get(&base_name).cloned().unwrap_or_default();
let mut combined = base.middleware_calls;
combined.extend(middleware_calls);
groups.insert(
group_name,
GroupSpec {
path_prefix: join_route_paths(&base.path_prefix, &path_prefix),
middleware_calls: combined,
},
);
}
fn maybe_collect_group_use(node: Node<'_>, bytes: &[u8], groups: &mut HashMap<String, GroupSpec>) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
if method_name != "Use" {
return;
}
let Some(group) = groups.get_mut(&object_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
for arg in named_children(arguments) {
group.middleware_calls.push(call_site_from_node(arg, bytes));
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
groups: &HashMap<String, GroupSpec>,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some(handler_expr) = args
.get(1)
.copied()
.filter(|arg| is_handler_reference(*arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = groups
.get(&object_name)
.map(|group| group.middleware_calls.clone())
.unwrap_or_default();
for middleware in args.iter().skip(2) {
middleware_calls.push(call_site_from_node(*middleware, bytes));
}
let path_prefix = groups
.get(&object_name)
.map(|group| group.path_prefix.as_str())
.unwrap_or("");
push_route_registration(
model,
Framework::Echo,
method,
join_route_paths(path_prefix, &route_path),
path,
handler,
middleware_calls,
);
}
fn is_group_call(node: Node<'_>, bytes: &[u8]) -> bool {
node.child_by_field_name("function")
.and_then(|function| member_target(function, bytes))
.is_some_and(|(_, method_name)| method_name == "Group")
}
fn parse_group_call(node: Node<'_>, bytes: &[u8]) -> Option<(String, String, Vec<CallSite>)> {
let function = node.child_by_field_name("function")?;
let (base_name, method_name) = member_target(function, bytes)?;
if method_name != "Group" {
return None;
}
let arguments = node.child_by_field_name("arguments")?;
let args = named_children(arguments);
let path = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
.unwrap_or_default();
let middleware_calls = args[1..]
.iter()
.map(|arg| call_site_from_node(*arg, bytes))
.collect();
Some((base_name, path, middleware_calls))
}

109
src/auth_analysis/extract/express.rs Normal file
View file

@ -0,0 +1,109 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, member_target, named_children, push_route_registration,
string_literal_value, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct ExpressExtractor;
impl AuthExtractor for ExpressExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
matches!(lang, "javascript" | "typescript")
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Express))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
if !matches!(object_name.as_str(), "router" | "app") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let named_args = named_children(arguments);
let Some(path_node) = named_args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some((handler_idx, handler_expr)) = named_args
.iter()
.enumerate()
.rev()
.find(|(_, arg)| is_handler_reference(**arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
*handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = named_args[1..handler_idx]
.iter()
.map(|middleware| call_site_from_node(*middleware, bytes))
.collect();
push_route_registration(
model,
Framework::Express,
method,
route_path,
path,
handler,
middleware_calls,
);
}

191
src/auth_analysis/extract/fastify.rs Normal file
View file

@ -0,0 +1,191 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_sites_from_value, collect_top_level_units, http_method_from_name,
is_handler_reference, member_target, named_children, object_property_value,
push_route_registration, string_literal_value, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct FastifyExtractor;
impl AuthExtractor for FastifyExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
matches!(lang, "javascript" | "typescript")
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Fastify))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call_expression" {
maybe_collect_shorthand_route(root, node, bytes, path, rules, &mut model);
maybe_collect_route_object(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_shorthand_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
if !matches!(object_name.as_str(), "fastify" | "app" | "server") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let options = args.get(1).copied().filter(|node| node.kind() == "object");
let handler_expr = args
.last()
.copied()
.filter(|node| is_handler_reference(*node))
.or_else(|| options.and_then(|opts| object_property_value(opts, bytes, &["handler"])));
let Some(handler_expr) = handler_expr else {
return;
};
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = options
.map(|opts| collect_fastify_hooks(opts, bytes))
.unwrap_or_default();
push_route_registration(
model,
Framework::Fastify,
method,
route_path,
path,
handler,
middleware_calls,
);
}
fn maybe_collect_route_object(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
if !is_fastify_route_call(function, bytes) {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let Some(route_object) = named_children(arguments).first().copied() else {
return;
};
if route_object.kind() != "object" {
return;
}
let Some(method_text) = object_property_value(route_object, bytes, &["method"])
.and_then(|value| string_literal_value(value, bytes))
else {
return;
};
let Some(method) = http_method_from_name(&method_text) else {
return;
};
let Some(route_path) = object_property_value(route_object, bytes, &["url", "path"])
.and_then(|value| string_literal_value(value, bytes))
else {
return;
};
let Some(handler_expr) = object_property_value(route_object, bytes, &["handler"]) else {
return;
};
let Some(handler) = attach_route_handler(
root,
handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = collect_fastify_hooks(route_object, bytes);
push_route_registration(
model,
Framework::Fastify,
method,
route_path,
path,
handler,
middleware_calls,
);
}
fn collect_fastify_hooks(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let mut hooks = Vec::new();
for field in ["preHandler", "preValidation", "onRequest"] {
if let Some(value) = object_property_value(node, bytes, &[field]) {
hooks.extend(call_sites_from_value(value, bytes));
}
}
hooks
}
fn is_fastify_route_call(node: Node<'_>, bytes: &[u8]) -> bool {
member_target(node, bytes).is_some_and(|(object_name, property)| {
matches!(object_name.as_str(), "fastify" | "app" | "server") && property == "route"
})
}

237
src/auth_analysis/extract/flask.rs Normal file
View file

@ -0,0 +1,237 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, auth_check_from_call_site, call_site_from_node, named_children,
push_route_registration, string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name};
use crate::auth_analysis::extract::common::{collect_top_level_units, decorated_definition_child};
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework, HttpMethod};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct FlaskExtractor;
impl AuthExtractor for FlaskExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "python"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Flask))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "decorated_definition" {
maybe_collect_flask_route(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
#[derive(Clone)]
struct FlaskRouteSpec {
method: HttpMethod,
path: String,
}
fn maybe_collect_flask_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(definition) = decorated_definition_child(node) else {
return;
};
if definition.kind() != "function_definition" {
return;
}
let mut route_specs = Vec::new();
let mut middleware_calls = Vec::new();
for decorator in decorator_expressions(node) {
if let Some(mut specs) = parse_flask_route_decorator(decorator, bytes) {
route_specs.append(&mut specs);
} else {
middleware_calls.extend(expand_decorator_calls(decorator, bytes));
}
}
if route_specs.is_empty() {
return;
}
for spec in route_specs {
let Some(handler) = attach_route_handler(
root,
node,
format!("{:?} {}", spec.method, spec.path),
bytes,
rules,
model,
) else {
continue;
};
inject_middleware_auth(
model,
handler.unit_idx,
handler.line,
&middleware_calls,
rules,
);
push_route_registration(
model,
Framework::Flask,
spec.method,
spec.path,
path,
handler,
middleware_calls.clone(),
);
}
}
fn parse_flask_route_decorator(
decorator_expr: Node<'_>,
bytes: &[u8],
) -> Option<Vec<FlaskRouteSpec>> {
let function = if decorator_expr.kind() == "call" {
decorator_expr.child_by_field_name("function")?
} else {
return None;
};
let callee = text(function, bytes);
let method_name = callee.rsplit('.').next().unwrap_or(&callee);
let arguments = decorator_expr.child_by_field_name("arguments")?;
let args = named_children(arguments);
let route_path = args
.iter()
.find_map(|arg| string_literal_value(*arg, bytes))
.or_else(|| keyword_argument_string(arguments, bytes, "rule"))?;
let methods = match method_name.to_ascii_lowercase().as_str() {
"get" => vec![HttpMethod::Get],
"post" => vec![HttpMethod::Post],
"put" => vec![HttpMethod::Put],
"delete" => vec![HttpMethod::Delete],
"patch" => vec![HttpMethod::Patch],
"route" => parse_methods_keyword(arguments, bytes).unwrap_or_else(|| vec![HttpMethod::Get]),
_ => return None,
};
Some(
methods
.into_iter()
.map(|method| FlaskRouteSpec {
method,
path: route_path.clone(),
})
.collect(),
)
}
fn parse_methods_keyword(arguments: Node<'_>, bytes: &[u8]) -> Option<Vec<HttpMethod>> {
let value = keyword_argument_value(arguments, bytes, "methods")?;
let mut methods = Vec::new();
for child in named_children(value) {
if let Some(method) = string_literal_value(child, bytes).and_then(|text| http_method(&text))
{
methods.push(method);
}
}
if methods.is_empty() {
None
} else {
Some(methods)
}
}
fn keyword_argument_string(arguments: Node<'_>, bytes: &[u8], name: &str) -> Option<String> {
let value = keyword_argument_value(arguments, bytes, name)?;
string_literal_value(value, bytes)
}
fn keyword_argument_value<'tree>(
arguments: Node<'tree>,
bytes: &[u8],
name: &str,
) -> Option<Node<'tree>> {
for arg in named_children(arguments) {
if arg.kind() != "keyword_argument" {
continue;
}
let key = arg.child_by_field_name("name")?;
if text(key, bytes) == name {
return arg.child_by_field_name("value");
}
}
None
}
fn http_method(value: &str) -> Option<HttpMethod> {
match value.to_ascii_lowercase().as_str() {
"get" => Some(HttpMethod::Get),
"post" => Some(HttpMethod::Post),
"put" => Some(HttpMethod::Put),
"delete" => Some(HttpMethod::Delete),
"patch" => Some(HttpMethod::Patch),
_ => None,
}
}
fn decorator_expressions(node: Node<'_>) -> Vec<Node<'_>> {
named_children(node)
.into_iter()
.filter(|child| child.kind() == "decorator")
.filter_map(|decorator| named_children(decorator).into_iter().next())
.collect()
}
fn expand_decorator_calls(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
if node.kind() == "call" {
let call = call_site_from_node(node, bytes);
if matches_name(&call.name, "method_decorator")
&& let Some(arguments) = node.child_by_field_name("arguments")
&& let Some(first) = named_children(arguments).first().copied()
{
return vec![call_site_from_node(first, bytes)];
}
return vec![call];
}
vec![call_site_from_node(node, bytes)]
}
fn inject_middleware_auth(
model: &mut AuthorizationModel,
unit_idx: usize,
line: usize,
middleware_calls: &[CallSite],
rules: &AuthAnalysisRules,
) {
let Some(unit) = model.units.get_mut(unit_idx) else {
return;
};
for call in middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
}

211
src/auth_analysis/extract/gin.rs Normal file
View file

@ -0,0 +1,211 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, join_route_paths, member_target, named_children, push_route_registration,
string_literal_value, text, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, CallSite, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::collections::HashMap;
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct GinExtractor;
impl AuthExtractor for GinExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "go"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Gin))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
let mut groups = HashMap::new();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| match node.kind() {
"short_var_declaration" | "assignment_statement" => {
maybe_collect_group_binding(node, bytes, &mut groups)
}
"call_expression" => {
maybe_collect_group_use(node, bytes, &mut groups);
maybe_collect_route(root, node, bytes, path, rules, &groups, &mut model);
}
_ => {}
});
model
}
}
#[derive(Clone, Default)]
struct GroupSpec {
path_prefix: String,
middleware_calls: Vec<CallSite>,
}
fn maybe_collect_group_binding(
node: Node<'_>,
bytes: &[u8],
groups: &mut HashMap<String, GroupSpec>,
) {
let Some(left) = node.child_by_field_name("left") else {
return;
};
let Some(right) = node.child_by_field_name("right") else {
return;
};
let Some(group_call) = named_children(right)
.into_iter()
.find(|child| child.kind() == "call_expression" && is_group_call(*child, bytes))
else {
return;
};
let Some(group_name) = named_children(left)
.into_iter()
.find(|child| child.kind() == "identifier")
.map(|child| text(child, bytes))
else {
return;
};
let Some((base_name, path_prefix, middleware_calls)) = parse_group_call(group_call, bytes)
else {
return;
};
let base = groups.get(&base_name).cloned().unwrap_or_default();
let mut combined = base.middleware_calls;
combined.extend(middleware_calls);
groups.insert(
group_name,
GroupSpec {
path_prefix: join_route_paths(&base.path_prefix, &path_prefix),
middleware_calls: combined,
},
);
}
fn maybe_collect_group_use(node: Node<'_>, bytes: &[u8], groups: &mut HashMap<String, GroupSpec>) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
if method_name != "Use" {
return;
}
let Some(group) = groups.get_mut(&object_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
for arg in named_children(arguments) {
group.middleware_calls.push(call_site_from_node(arg, bytes));
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
groups: &HashMap<String, GroupSpec>,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(path_node) = args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some((handler_idx, handler_expr)) = args
.iter()
.enumerate()
.rev()
.find(|(_, arg)| is_handler_reference(**arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
*handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let mut middleware_calls = groups
.get(&object_name)
.map(|group| group.middleware_calls.clone())
.unwrap_or_default();
for middleware in &args[1..handler_idx] {
middleware_calls.push(call_site_from_node(*middleware, bytes));
}
let path_prefix = groups
.get(&object_name)
.map(|group| group.path_prefix.as_str())
.unwrap_or("");
push_route_registration(
model,
Framework::Gin,
method,
join_route_paths(path_prefix, &route_path),
path,
handler,
middleware_calls,
);
}
fn is_group_call(node: Node<'_>, bytes: &[u8]) -> bool {
node.child_by_field_name("function")
.and_then(|function| member_target(function, bytes))
.is_some_and(|(_, method_name)| method_name == "Group")
}
fn parse_group_call(node: Node<'_>, bytes: &[u8]) -> Option<(String, String, Vec<CallSite>)> {
let function = node.child_by_field_name("function")?;
let (base_name, method_name) = member_target(function, bytes)?;
if method_name != "Group" {
return None;
}
let arguments = node.child_by_field_name("arguments")?;
let args = named_children(arguments);
let path = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
.unwrap_or_default();
let middleware_calls = args[1..]
.iter()
.map(|arg| call_site_from_node(*arg, bytes))
.collect();
Some((base_name, path, middleware_calls))
}

109
src/auth_analysis/extract/koa.rs Normal file
View file

@ -0,0 +1,109 @@
use super::AuthExtractor;
use super::common::{
attach_route_handler, call_site_from_node, collect_top_level_units, http_method_from_name,
is_handler_reference, member_target, named_children, push_route_registration,
string_literal_value, visit_named_nodes,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, Framework};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct KoaExtractor;
impl AuthExtractor for KoaExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
matches!(lang, "javascript" | "typescript")
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Koa))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
visit_named_nodes(root, &mut |node| {
if node.kind() == "call_expression" {
maybe_collect_route(root, node, bytes, path, rules, &mut model);
}
});
model
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(function) = node.child_by_field_name("function") else {
return;
};
let Some((object_name, method_name)) = member_target(function, bytes) else {
return;
};
let Some(method) = http_method_from_name(&method_name) else {
return;
};
if !matches!(object_name.as_str(), "koaRouter" | "router" | "app" | "koa") {
return;
}
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let named_args = named_children(arguments);
let Some(path_node) = named_args.first().copied() else {
return;
};
let Some(route_path) = string_literal_value(path_node, bytes) else {
return;
};
let Some((handler_idx, handler_expr)) = named_args
.iter()
.enumerate()
.rev()
.find(|(_, arg)| is_handler_reference(**arg))
else {
return;
};
let Some(handler) = attach_route_handler(
root,
*handler_expr,
format!("{:?} {}", method, route_path),
bytes,
rules,
model,
) else {
return;
};
let middleware_calls = named_args[1..handler_idx]
.iter()
.map(|middleware| call_site_from_node(*middleware, bytes))
.collect::<Vec<_>>();
push_route_registration(
model,
Framework::Koa,
method,
route_path,
path,
handler,
middleware_calls,
);
}

65
src/auth_analysis/extract/mod.rs Normal file
View file

@ -0,0 +1,65 @@
use super::config::AuthAnalysisRules;
use super::model::AuthorizationModel;
use crate::utils::project::FrameworkContext;
use std::path::Path;
use tree_sitter::Tree;
pub mod actix_web;
pub mod axum;
pub mod common;
pub mod django;
pub mod echo;
pub mod express;
pub mod fastify;
pub mod flask;
pub mod gin;
pub mod koa;
pub mod rails;
pub mod rocket;
pub mod sinatra;
pub mod spring;
pub trait AuthExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool;
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel;
}
pub fn extract_authorization_model(
lang: &str,
framework_ctx: Option<&FrameworkContext>,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let extractors: [&dyn AuthExtractor; 13] = [
&express::ExpressExtractor,
&koa::KoaExtractor,
&fastify::FastifyExtractor,
&gin::GinExtractor,
&echo::EchoExtractor,
&flask::FlaskExtractor,
&django::DjangoExtractor,
&spring::SpringExtractor,
&rails::RailsExtractor,
&sinatra::SinatraExtractor,
&axum::AxumExtractor,
&actix_web::ActixWebExtractor,
&rocket::RocketExtractor,
];
let mut model = AuthorizationModel::default();
for extractor in extractors {
if extractor.supports(lang, framework_ctx) {
model.extend(extractor.extract(tree, bytes, path, rules));
}
}
model
}

335
src/auth_analysis/extract/rails.rs Normal file
View file

@ -0,0 +1,335 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, call_name, call_site_from_node, function_name,
named_children, span, text,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name, strip_quotes};
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod, RouteRegistration,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct RailsExtractor;
impl AuthExtractor for RailsExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "ruby"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Rails))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_nodes(root, &[], bytes, path, rules, &mut model);
model
}
}
#[derive(Clone)]
struct FilterDirective {
call: CallSite,
only: Vec<String>,
except: Vec<String>,
skip: bool,
}
fn collect_nodes(
node: Node<'_>,
namespace: &[String],
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
match node.kind() {
"module" => {
let mut next_namespace = namespace.to_vec();
if let Some(name) = ruby_constant_segments(node.child_by_field_name("name"), bytes) {
next_namespace.extend(name);
}
if let Some(body) = node.child_by_field_name("body") {
collect_nodes(body, &next_namespace, bytes, path, rules, model);
}
}
"class" => {
maybe_collect_controller(node, namespace, bytes, path, rules, model);
}
_ => {
for child in named_children(node) {
collect_nodes(child, namespace, bytes, path, rules, model);
}
}
}
}
fn maybe_collect_controller(
class_node: Node<'_>,
namespace: &[String],
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let Some(name_segments) = ruby_constant_segments(class_node.child_by_field_name("name"), bytes)
else {
return;
};
let Some(class_name) = name_segments.last() else {
return;
};
if !class_name.ends_with("Controller") {
return;
}
let Some(body) = class_node.child_by_field_name("body") else {
return;
};
let mut controller_namespace = namespace.to_vec();
controller_namespace.extend(
name_segments[..name_segments.len().saturating_sub(1)]
.iter()
.cloned(),
);
let controller_segment = underscore_segment(class_name.trim_end_matches("Controller"));
let filter_directives = class_filter_directives(body, bytes);
let controller_name = format!(
"{}{}",
if controller_namespace.is_empty() {
String::new()
} else {
format!("{}::", controller_namespace.join("::"))
},
class_name
);
for child in named_children(body) {
if child.kind() != "method" {
continue;
}
let Some(action_name) = function_name(child, bytes) else {
continue;
};
if action_name.is_empty() || action_name.ends_with('=') {
continue;
}
let unit_idx = model.units.len();
let route_name = format!("{controller_name}#{action_name}");
let mut unit = build_function_unit(
child,
AnalysisUnitKind::RouteHandler,
Some(route_name.clone()),
bytes,
rules,
);
let handler_span = span(child);
let handler_params = unit.params.clone();
let line = child.start_position().row + 1;
let middleware_calls = applicable_filters(&filter_directives, &action_name);
for call in &middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
model.units.push(unit);
let mut route_segments = controller_namespace
.iter()
.map(|segment| underscore_segment(segment))
.collect::<Vec<_>>();
route_segments.push(controller_segment.clone());
route_segments.push(underscore_segment(&action_name));
let route_path = format!("/{}", route_segments.join("/"));
model.routes.push(RouteRegistration {
framework: Framework::Rails,
method: infer_action_method(&action_name),
path: route_path,
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span,
handler_params,
file: path.to_path_buf(),
line,
unit_idx,
middleware_calls,
});
}
}
fn class_filter_directives(body: Node<'_>, bytes: &[u8]) -> Vec<FilterDirective> {
let mut filters = Vec::new();
for child in named_children(body) {
if child.kind() != "call" {
continue;
}
let callee = call_name(child, bytes);
let directive_name = callee.rsplit('.').next().unwrap_or(&callee);
if !matches_name(directive_name, "before_action")
&& !matches_name(directive_name, "prepend_before_action")
&& !matches_name(directive_name, "skip_before_action")
{
continue;
}
filters.extend(parse_filter_directive(
child,
bytes,
matches_name(directive_name, "skip_before_action"),
));
}
filters
}
fn parse_filter_directive(node: Node<'_>, bytes: &[u8], skip: bool) -> Vec<FilterDirective> {
let Some(arguments) = node.child_by_field_name("arguments") else {
return Vec::new();
};
let args = named_children(arguments);
if args.is_empty() {
return Vec::new();
}
let mut filters = Vec::new();
let mut only = Vec::new();
let mut except = Vec::new();
for arg in &args {
if arg.kind() == "pair" {
let key = text(arg.child_by_field_name("key").unwrap_or(*arg), bytes);
let normalized = strip_quotes(&key).trim_start_matches(':').to_string();
let value = arg.child_by_field_name("value").unwrap_or(*arg);
if normalized == "only" {
only = symbol_list(value, bytes);
} else if normalized == "except" {
except = symbol_list(value, bytes);
}
continue;
}
filters.extend(filter_calls_from_arg(*arg, bytes));
}
filters
.into_iter()
.map(|call| FilterDirective {
call,
only: only.clone(),
except: except.clone(),
skip,
})
.collect()
}
fn filter_calls_from_arg(node: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
match node.kind() {
"simple_symbol" | "hash_key_symbol" | "identifier" => vec![CallSite {
name: strip_quotes(&text(node, bytes))
.trim_start_matches(':')
.to_string(),
args: Vec::new(),
span: span(node),
args_value_refs: Vec::new(),
}],
"array" => named_children(node)
.into_iter()
.flat_map(|child| filter_calls_from_arg(child, bytes))
.collect(),
_ => {
let call = call_site_from_node(node, bytes);
if call.name.is_empty() {
Vec::new()
} else {
vec![call]
}
}
}
}
fn applicable_filters(filters: &[FilterDirective], action: &str) -> Vec<CallSite> {
let mut middleware = Vec::new();
for filter in filters {
if !filter_applies(filter, action) {
continue;
}
if filter.skip {
middleware.retain(|existing: &CallSite| existing.name != filter.call.name);
} else if !middleware
.iter()
.any(|existing: &CallSite| existing.name == filter.call.name)
{
middleware.push(filter.call.clone());
}
}
middleware
}
fn filter_applies(filter: &FilterDirective, action: &str) -> bool {
(filter.only.is_empty() || filter.only.iter().any(|name| name == action))
&& !filter.except.iter().any(|name| name == action)
}
fn symbol_list(node: Node<'_>, bytes: &[u8]) -> Vec<String> {
match node.kind() {
"simple_symbol" | "hash_key_symbol" | "identifier" | "string" => vec![
strip_quotes(&text(node, bytes))
.trim_start_matches(':')
.to_string(),
],
"array" => named_children(node)
.into_iter()
.flat_map(|child| symbol_list(child, bytes))
.collect(),
_ => Vec::new(),
}
}
fn ruby_constant_segments(node: Option<Node<'_>>, bytes: &[u8]) -> Option<Vec<String>> {
let node = node?;
let value = text(node, bytes);
if value.is_empty() {
return None;
}
Some(
value
.split("::")
.map(|segment| segment.trim().to_string())
.filter(|segment| !segment.is_empty())
.collect(),
)
}
fn infer_action_method(action: &str) -> HttpMethod {
match action {
"index" | "show" | "new" | "edit" => HttpMethod::Get,
"create" => HttpMethod::Post,
"update" => HttpMethod::Patch,
"destroy" => HttpMethod::Delete,
_ => HttpMethod::All,
}
}
fn underscore_segment(value: &str) -> String {
let mut out = String::new();
for (idx, ch) in value.chars().enumerate() {
if ch.is_ascii_uppercase() {
if idx > 0 && !out.ends_with('_') {
out.push('_');
}
out.push(ch.to_ascii_lowercase());
} else if ch.is_ascii_alphanumeric() {
out.push(ch.to_ascii_lowercase());
} else if !out.ends_with('_') {
out.push('_');
}
}
out.trim_matches('_').to_string()
}

145
src/auth_analysis/extract/rocket.rs Normal file
View file

@ -0,0 +1,145 @@
use super::AuthExtractor;
use super::axum::{
GuardFramework, apply_aliases, dedup_call_sites, guard_calls_for_handler, inject_guard_checks,
rust_param_aliases,
};
use super::common::{
attach_route_handler, collect_top_level_units, function_definition_node, function_name,
named_children, text,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{AuthorizationModel, Framework, HttpMethod, RouteRegistration};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct RocketExtractor;
impl AuthExtractor for RocketExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "rust"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Rocket))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
collect_handlers(root, root, bytes, path, rules, &mut model);
model
}
}
fn collect_handlers(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "function_item" {
maybe_collect_route(root, node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_handlers(root, child, bytes, path, rules, model);
}
}
fn maybe_collect_route(
root: Node<'_>,
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let route_attrs = route_attributes(node, bytes);
if route_attrs.is_empty() {
return;
}
for (method, route_path) in route_attrs {
let Some(handler) = attach_route_handler(
root,
node,
format!(
"{:?} {}",
method,
function_name(function_definition_node(node), bytes)
.unwrap_or_else(|| "rocket_handler".to_string())
),
bytes,
rules,
model,
) else {
continue;
};
let mut middleware_calls =
guard_calls_for_handler(node, &route_path, bytes, GuardFramework::Rocket);
dedup_call_sites(&mut middleware_calls);
if let Some(unit) = model.units.get_mut(handler.unit_idx) {
let aliases = rust_param_aliases(node, &route_path, bytes, GuardFramework::Rocket);
apply_aliases(unit, &aliases);
inject_guard_checks(unit, &middleware_calls, rules);
}
model.routes.push(RouteRegistration {
framework: Framework::Rocket,
method,
path: route_path,
middleware: middleware_calls
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span: handler.span,
handler_params: handler.params,
file: path.to_path_buf(),
line: handler.line,
unit_idx: handler.unit_idx,
middleware_calls,
});
}
}
fn route_attributes(node: Node<'_>, bytes: &[u8]) -> Vec<(HttpMethod, String)> {
text(node, bytes)
.lines()
.map(str::trim)
.take_while(|line| line.starts_with("#["))
.filter_map(parse_route_attribute)
.collect()
}
fn parse_route_attribute(line: &str) -> Option<(HttpMethod, String)> {
let method = if line.starts_with("#[get") {
HttpMethod::Get
} else if line.starts_with("#[post") {
HttpMethod::Post
} else if line.starts_with("#[put") {
HttpMethod::Put
} else if line.starts_with("#[delete") {
HttpMethod::Delete
} else if line.starts_with("#[patch") {
HttpMethod::Patch
} else {
return None;
};
let start = line.find('"')?;
let rest = &line[start + 1..];
let end = rest.find('"')?;
Some((method, rest[..end].to_string()))
}

157
src/auth_analysis/extract/sinatra.rs Normal file
View file

@ -0,0 +1,157 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, call_name, call_site_from_node,
collect_top_level_units, named_children, span, string_literal_value,
};
use crate::auth_analysis::config::{AuthAnalysisRules, matches_name};
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod, RouteRegistration,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct SinatraExtractor;
impl AuthExtractor for SinatraExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "ruby"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Sinatra))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_top_level_units(root, bytes, rules, &mut model);
let before_filters = collect_before_filters(root, bytes);
collect_routes(root, bytes, path, rules, &before_filters, &mut model);
model
}
}
fn collect_before_filters(root: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let mut filters = Vec::new();
for child in named_children(root) {
if child.kind() != "call" {
continue;
}
let callee = call_name(child, bytes);
let target = callee.rsplit('.').next().unwrap_or(&callee);
if !matches_name(target, "before") {
continue;
}
if let Some(block) = child_block(child) {
filters.extend(call_sites_in_block(block, bytes));
}
}
filters
}
fn collect_routes(
root: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
before_filters: &[CallSite],
model: &mut AuthorizationModel,
) {
for child in named_children(root) {
if child.kind() != "call" {
continue;
}
maybe_collect_route(child, bytes, path, rules, before_filters, model);
}
}
fn maybe_collect_route(
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
before_filters: &[CallSite],
model: &mut AuthorizationModel,
) {
let callee = call_name(node, bytes);
let route_name = callee.rsplit('.').next().unwrap_or(&callee);
let method = match route_name.to_ascii_lowercase().as_str() {
"get" => HttpMethod::Get,
"post" => HttpMethod::Post,
"put" => HttpMethod::Put,
"delete" => HttpMethod::Delete,
"patch" => HttpMethod::Patch,
_ => return,
};
let Some(arguments) = node.child_by_field_name("arguments") else {
return;
};
let args = named_children(arguments);
let Some(route_path) = args
.first()
.and_then(|arg| string_literal_value(*arg, bytes))
else {
return;
};
let Some(block) = child_block(node) else {
return;
};
let unit_idx = model.units.len();
let mut unit = build_function_unit(
block,
AnalysisUnitKind::RouteHandler,
Some(format!("{:?} {}", method, route_path)),
bytes,
rules,
);
let line = block.start_position().row + 1;
for call in before_filters {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
let handler_span = span(block);
let handler_params = unit.params.clone();
model.units.push(unit);
model.routes.push(RouteRegistration {
framework: Framework::Sinatra,
method,
path: route_path,
middleware: before_filters
.iter()
.map(|call| call.name.clone())
.collect(),
handler_span,
handler_params,
file: path.to_path_buf(),
line,
unit_idx,
middleware_calls: before_filters.to_vec(),
});
}
fn child_block(node: Node<'_>) -> Option<Node<'_>> {
named_children(node)
.into_iter()
.find(|child| matches!(child.kind(), "block" | "do_block"))
}
fn call_sites_in_block(block: Node<'_>, bytes: &[u8]) -> Vec<CallSite> {
let Some(body) = block.child_by_field_name("body") else {
return Vec::new();
};
named_children(body)
.into_iter()
.filter(|child| child.kind() == "call")
.map(|child| call_site_from_node(child, bytes))
.filter(|call| !call.name.is_empty())
.collect()
}

326
src/auth_analysis/extract/spring.rs Normal file
View file

@ -0,0 +1,326 @@
use super::AuthExtractor;
use super::common::{
auth_check_from_call_site, build_function_unit, function_name, join_route_paths,
named_children, push_route_registration, span, text,
};
use crate::auth_analysis::config::AuthAnalysisRules;
use crate::auth_analysis::model::{
AnalysisUnitKind, AuthorizationModel, CallSite, Framework, HttpMethod,
};
use crate::utils::project::{DetectedFramework, FrameworkContext};
use std::path::Path;
use tree_sitter::{Node, Tree};
pub struct SpringExtractor;
impl AuthExtractor for SpringExtractor {
fn supports(&self, lang: &str, framework_ctx: Option<&FrameworkContext>) -> bool {
lang == "java"
&& framework_ctx
.is_none_or(|ctx| ctx.frameworks.is_empty() || ctx.has(DetectedFramework::Spring))
}
fn extract(
&self,
tree: &Tree,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
) -> AuthorizationModel {
let root = tree.root_node();
let mut model = AuthorizationModel::default();
collect_classes(root, bytes, path, rules, &mut model);
model
}
}
#[derive(Clone)]
struct SpringRouteSpec {
method: HttpMethod,
path: String,
}
fn collect_classes(
node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
if node.kind() == "class_declaration" {
maybe_collect_controller(node, bytes, path, rules, model);
}
for child in named_children(node) {
collect_classes(child, bytes, path, rules, model);
}
}
fn maybe_collect_controller(
class_node: Node<'_>,
bytes: &[u8],
path: &Path,
rules: &AuthAnalysisRules,
model: &mut AuthorizationModel,
) {
let class_annotations = annotation_lines(class_node, bytes);
if !class_annotations.iter().any(|annotation| {
annotation.starts_with("@Controller") || annotation.starts_with("@RestController")
}) {
return;
}
let class_name = class_node
.child_by_field_name("name")
.map(|name| text(name, bytes))
.unwrap_or_else(|| "SpringController".to_string());
let class_path = class_request_path(&class_annotations);
let class_security = parse_security_annotations(&class_annotations, span(class_node));
let Some(body) = class_node.child_by_field_name("body") else {
return;
};
for child in named_children(body) {
if child.kind() != "method_declaration" {
continue;
}
let method_annotations = annotation_lines(child, bytes);
let route_specs = parse_route_annotations(&method_annotations);
if route_specs.is_empty() {
continue;
}
let mut middleware_calls = class_security.clone();
middleware_calls.extend(parse_security_annotations(&method_annotations, span(child)));
let route_name = format!(
"{class_name}.{}",
function_name(child, bytes).unwrap_or_else(|| "handler".to_string())
);
let line = child.start_position().row + 1;
for spec in route_specs {
let unit_idx = model.units.len();
let mut unit = build_function_unit(
child,
AnalysisUnitKind::RouteHandler,
Some(route_name.clone()),
bytes,
rules,
);
for call in &middleware_calls {
if let Some(check) = auth_check_from_call_site(call, line, rules) {
unit.auth_checks.push(check);
}
}
let handler_span = span(child);
let handler_params = unit.params.clone();
model.units.push(unit);
push_route_registration(
model,
Framework::Spring,
spec.method,
join_route_paths(&class_path, &spec.path),
path,
super::common::ResolvedHandler {
unit_idx,
span: handler_span,
params: handler_params,
line,
},
middleware_calls.clone(),
);
}
}
}
fn annotation_lines(node: Node<'_>, bytes: &[u8]) -> Vec<String> {
text(node, bytes)
.lines()
.map(str::trim)
.take_while(|line| line.starts_with('@'))
.map(|line| line.to_string())
.collect()
}
fn class_request_path(annotations: &[String]) -> String {
annotations
.iter()
.find(|annotation| annotation.starts_with("@RequestMapping"))
.and_then(|annotation| annotation_path(annotation))
.unwrap_or_default()
}
fn parse_route_annotations(annotations: &[String]) -> Vec<SpringRouteSpec> {
let mut specs = Vec::new();
for annotation in annotations {
let annotation = annotation.as_str();
let method = if annotation.starts_with("@GetMapping") {
Some(vec![HttpMethod::Get])
} else if annotation.starts_with("@PostMapping") {
Some(vec![HttpMethod::Post])
} else if annotation.starts_with("@PutMapping") {
Some(vec![HttpMethod::Put])
} else if annotation.starts_with("@DeleteMapping") {
Some(vec![HttpMethod::Delete])
} else if annotation.starts_with("@PatchMapping") {
Some(vec![HttpMethod::Patch])
} else if annotation.starts_with("@RequestMapping") {
Some(request_mapping_methods(annotation))
} else {
None
};
let Some(methods) = method else {
continue;
};
let path = annotation_path(annotation).unwrap_or_default();
specs.extend(methods.into_iter().map(|method| SpringRouteSpec {
method,
path: path.clone(),
}));
}
specs
}
fn request_mapping_methods(annotation: &str) -> Vec<HttpMethod> {
let mut methods = Vec::new();
for (needle, method) in [
("RequestMethod.GET", HttpMethod::Get),
("RequestMethod.POST", HttpMethod::Post),
("RequestMethod.PUT", HttpMethod::Put),
("RequestMethod.DELETE", HttpMethod::Delete),
("RequestMethod.PATCH", HttpMethod::Patch),
] {
if annotation.contains(needle) {
methods.push(method);
}
}
if methods.is_empty() {
methods.push(HttpMethod::All);
}
methods
}
fn annotation_path(annotation: &str) -> Option<String> {
quoted_strings(annotation).into_iter().next()
}
fn parse_security_annotations(annotations: &[String], span: (usize, usize)) -> Vec<CallSite> {
let mut calls = Vec::new();
for annotation in annotations {
if annotation.starts_with("@RolesAllowed") {
calls.push(CallSite {
name: "RolesAllowed".to_string(),
args: quoted_strings(annotation),
span,
args_value_refs: Vec::new(),
});
} else if annotation.starts_with("@Secured") {
calls.push(CallSite {
name: "Secured".to_string(),
args: quoted_strings(annotation),
span,
args_value_refs: Vec::new(),
});
} else if annotation.starts_with("@PreAuthorize")
|| annotation.starts_with("@PostAuthorize")
{
let Some(expression) = quoted_strings(annotation).into_iter().next() else {
continue;
};
if expression.contains("isAuthenticated") {
calls.push(CallSite {
name: "isAuthenticated".to_string(),
args: vec![expression.clone()],
span,
args_value_refs: Vec::new(),
});
}
if let Some((name, args)) = parse_expression_call(&expression) {
calls.push(CallSite {
name,
args,
span,
args_value_refs: Vec::new(),
});
}
}
}
calls
}
fn parse_expression_call(expression: &str) -> Option<(String, Vec<String>)> {
for candidate in ["hasRole", "hasAuthority"] {
if let Some(args) = named_call_args(expression, candidate) {
return Some((candidate.to_string(), args));
}
}
let open_idx = expression.find('(')?;
let close_idx = expression.rfind(')')?;
if close_idx <= open_idx {
return None;
}
let prefix = expression[..open_idx].trim();
let name = prefix
.trim_start_matches('@')
.rsplit('.')
.next()
.unwrap_or(prefix)
.trim();
if name.is_empty() {
return None;
}
let args = expression[open_idx + 1..close_idx]
.split(',')
.map(str::trim)
.filter(|arg| !arg.is_empty())
.map(|arg| arg.to_string())
.collect::<Vec<_>>();
Some((name.to_string(), args))
}
fn named_call_args(expression: &str, name: &str) -> Option<Vec<String>> {
let needle = format!("{name}(");
let start = expression.find(&needle)?;
let args = &expression[start + needle.len()..];
let end = args.find(')')?;
let values = args[..end]
.split(',')
.map(|arg| arg.trim().trim_matches('\'').trim_matches('"'))
.filter(|arg| !arg.is_empty())
.map(|arg| arg.to_string())
.collect::<Vec<_>>();
Some(values)
}
fn quoted_strings(input: &str) -> Vec<String> {
let mut out = Vec::new();
let mut current = String::new();
let mut quote = None;
for ch in input.chars() {
match quote {
Some(active) if ch == active => {
out.push(current.clone());
current.clear();
quote = None;
}
Some(_) => current.push(ch),
None if ch == '\'' || ch == '"' => {
quote = Some(ch);
}
None => {}
}
}
out
}