Documentation ¶
Index ¶
- Variables
- func DecodeString(in string) string
- func MaybeURL(in string) bool
- func PrintTree(source []byte) string
- type Analyzer
- func (a *Analyzer) AddSecretMatcher(s SecretMatcher)
- func (a *Analyzer) AddSecretMatchers(ss []SecretMatcher)
- func (a *Analyzer) AddURLMatcher(u URLMatcher)
- func (a *Analyzer) DisableDefaultURLMatchers()
- func (a *Analyzer) GetSecrets() []*Secret
- func (a *Analyzer) GetURLs() []*URL
- func (a *Analyzer) Query(q string, fn func(*Node))
- func (a *Analyzer) QueryMulti(q string, fn func(QueryResult))
- func (a *Analyzer) RootNode() *Node
- type Node
- func (n *Node) AsArray() []any
- func (n *Node) AsGoType() any
- func (n *Node) AsMap() map[string]any
- func (n *Node) AsNumber() any
- func (n *Node) AsObject() Object
- func (n *Node) CaptureName() string
- func (n *Node) Child(index int) *Node
- func (n *Node) ChildByFieldName(name string) *Node
- func (n *Node) ChildCount() int
- func (n *Node) Children() []*Node
- func (n *Node) CollapsedString() string
- func (n *Node) Content() string
- func (n *Node) DecodedString() string
- func (n *Node) ForEachChild(fn func(*Node))
- func (n *Node) ForEachNamedChild(fn func(*Node))
- func (n *Node) Format() (string, error)
- func (n *Node) IsNamed() bool
- func (n *Node) IsStringy() bool
- func (n *Node) IsValid() bool
- func (n *Node) NamedChild(index int) *Node
- func (n *Node) NamedChildCount() int
- func (n *Node) NamedChildren() []*Node
- func (n *Node) NextNamedSibling() *Node
- func (n *Node) NextSibling() *Node
- func (n *Node) Parent() *Node
- func (n *Node) PrevNamedSibling() *Node
- func (n *Node) PrevSibling() *Node
- func (n *Node) Query(query string, fn func(*Node))
- func (n *Node) QueryMulti(query string, fn func(QueryResult))
- func (n *Node) RawString() string
- func (n *Node) Type() string
- type Object
- func (o Object) AsMap() map[string]string
- func (o Object) GetKeys() []string
- func (o Object) GetNode(key string) *Node
- func (o Object) GetNodeFunc(fn func(key string) bool) *Node
- func (o Object) GetNodeI(key string) *Node
- func (o Object) GetObject(key string) Object
- func (o Object) GetString(key, defaultVal string) string
- func (o Object) GetStringI(key, defaultVal string) string
- func (o Object) HasValidNode() bool
- type QueryResult
- type Secret
- type SecretMatcher
- type Severity
- type URL
- type URLMatcher
- type UserPattern
- type UserPatterns
Constants ¶
This section is empty.
Variables ¶
var ExpressionPlaceholder = "EXPR"
ExpressionPlaceholder is the string used to replace any expressions when string concatenations are collapsed. E.g:
"prefix" + someVar + "suffix"
Would become:
prefixEXPRsuffix
Functions ¶
func DecodeString ¶
DecodeString accepts a raw string as it might be found in some JavaScript source code, and converts any escape sequences. E.g:
foo\x3dbar -> foo=bar // Hex escapes foo\u003Dbar -> foo=bar // Unicode escapes foo\u{003D}bar -> foo=bar // Braced unicode escapes foo\075bar -> foo=bar // Octal escape foo\"bar -> foo"bar // Single character escapes
Types ¶
type Analyzer ¶
type Analyzer struct {
// contains filtered or unexported fields
}
Analyzer could be considered the core type of jsluice. It wraps the parse tree for a JavaScript file and provides mechanisms to extract URLs, secrets etc
func NewAnalyzer ¶
NewAnalyzer accepts a slice of bytes representing some JavaScript source code and returns a pointer to a new Analyzer
func (*Analyzer) AddSecretMatcher ¶
func (a *Analyzer) AddSecretMatcher(s SecretMatcher)
AddSecretMatcher allows custom SecretMatchers to be added to the Analyzer
func (*Analyzer) AddSecretMatchers ¶
func (a *Analyzer) AddSecretMatchers(ss []SecretMatcher)
AddSecretMatchers allows multiple custom SecretMatchers to be added to the Analyzer
func (*Analyzer) AddURLMatcher ¶
func (a *Analyzer) AddURLMatcher(u URLMatcher)
AddURLMatcher allows custom URLMatchers to be added to the Analyzer
func (*Analyzer) DisableDefaultURLMatchers ¶
func (a *Analyzer) DisableDefaultURLMatchers()
DisableDefaultURLMatchers disables the default URLMatchers, so that only user-added URLMatchers are used.
func (*Analyzer) GetSecrets ¶
GetSecrets uses the parse tree and a set of Matchers (those provided by AllSecretMatchers()) to find secrets in JavaScript source code.
func (*Analyzer) GetURLs ¶
GetURLs searches the JavaScript source code for absolute and relative URLs and returns a slice of results.
func (*Analyzer) Query ¶
Query peforms a tree-sitter query on the JavaScript being analyzed. The provided function is called once for every node that captured by the query. See https://tree-sitter.github.io/tree-sitter/using-parsers#query-syntax for details on query syntax.
func (*Analyzer) QueryMulti ¶
func (a *Analyzer) QueryMulti(q string, fn func(QueryResult))
Query peforms a tree-sitter query on the JavaScript being analyzed. The provided function is called for every query match, with captured nodes grouped into a QueryResult See https://tree-sitter.github.io/tree-sitter/using-parsers#query-syntax for details on query syntax.
type Node ¶
type Node struct {
// contains filtered or unexported fields
}
Node is a wrapper around a tree-sitter node. It serves as an attachment point for convenience methods, and also to store the raw JavaScript source that is a required argument for many tree-sitter functions.
func NewNode ¶
NewNode creates a new Node for the provided tree-sitter node and a byte-slice containing the JavaScript source. The source provided should be the complete source code and not just the source for the node in question.
func (*Node) AsGoType ¶
AsGoType returns a representation of a Node as a native Go type, defaulting to a string containing the JavaScript source for the Node. Return types are:
string => string number => int, float64 object => map[string]any array => []any false => false true => true null => nil other => string
func (*Node) AsNumber ¶
AsNumber returns a representation of the Node as an int or float64.
Note: hex, octal etc number formats are currently unsupported
func (*Node) AsObject ¶
AsObject returns a Node as jsluice's internal object type, to allow the fetching of keys etc
func (*Node) CaptureName ¶
CaptureName returns the name given to a node in a query if one exists, and an empty string otherwise
func (*Node) ChildByFieldName ¶
Fetches a child Node from a named field. For example, the 'pair' node has two fields: key, and value.
func (*Node) ChildCount ¶
ChildCount returns the number of children a node has
func (*Node) CollapsedString ¶
CollapsedString takes a node representing a URL and attempts to make it at least somewhat easily parseable. It's common to build URLs out of variables and function calls so we want to turn something like:
'./upload.php?profile='+res.id+'&show='+$('.participate_modal_container').attr('data-val')
Into something more like:
./upload.php?profile=EXPR&show=EXPR
The value of ExpressionPlaceholder is used as a placeholder, defaulting to 'EXPR'
func (*Node) DecodedString ¶
DecodedString returns a fully decoded version of a JavaScript string. It is just a convenience wrapper around the DecodeString function.
func (*Node) ForEachChild ¶
ForEachChild iterates over a node's children in a depth-first manner, calling the supplied function for each node
func (*Node) ForEachNamedChild ¶
ForEachNamedChild iterates over a node's named children in a depth-first manner, calling the supplied function for each node
func (*Node) Format ¶
Format outputs a nicely formatted version of the source code for the Node. Formatting is done by https://github.com/ditashi/jsbeautifier-go/
func (*Node) IsStringy ¶
IsStringy returns true if a Node is a string or is an expression starting with a string (e.g. a string concatenation expression).
func (*Node) IsValid ¶
IsValid returns true if the *Node and the underlying tree-sitter node are both not nil.
func (*Node) NamedChild ¶
NamedChild returns the 'named' child Node at the provided index. Tree-sitter considers a child to be named if it has a name in the syntax tree. Things like brackets are not named, but things like variables and function calls are named. See https://tree-sitter.github.io/tree-sitter/using-parsers#named-vs-anonymous-nodes for more details.
func (*Node) NamedChildCount ¶
NamedChildCount returns the number of named children a Node has.
func (*Node) NamedChildren ¶
NamedChildren returns a slice of *Node containg all named children for a node.
func (*Node) NextNamedSibling ¶
NextNamedSibling returns the next named sibling in the tree
func (*Node) NextSibling ¶
NextSibling returns the next sibling in the tree
func (*Node) PrevNamedSibling ¶
PrevNamedSibling returns the previous named sibling in the tree
func (*Node) PrevSibling ¶
PrevSibling returns the previous sibling in the tree
func (*Node) Query ¶
Query executes a tree-sitter query on a specific Node. Nodes captured by the query are passed one at a time to the provided callback function.
See https://tree-sitter.github.io/tree-sitter/using-parsers#pattern-matching-with-queries for query syntax documentation.
func (*Node) QueryMulti ¶
func (n *Node) QueryMulti(query string, fn func(QueryResult))
QueryMulti executes a tree-sitter query on a specific Node. Nodes captured by the query are grouped into a QueryResult and passed to the provided callback function.
See https://tree-sitter.github.io/tree-sitter/using-parsers#pattern-matching-with-queries for query syntax documentation.
type Object ¶
type Object struct {
// contains filtered or unexported fields
}
Object is a wrapper about a N ode that contains a JS Object It has convenience methods to find properties of the object, convert it to other types etc.
func (Object) GetNodeFunc ¶
GetNodeFunc is a general-purpose method for finding object properties by their key. The provided function is called with each key in turn. The first time that function returns true the corresponding *Node for that key is returned.
func (Object) GetObject ¶
GetObject returns the property corresponding to the provided key as an Object
func (Object) GetString ¶
GetString returns the property corresponding to the provided key as a string, or the defaultVal if the key is not found.
func (Object) GetStringI ¶
GetStringI is like GetString, but the key is case-insensitive
func (Object) HasValidNode ¶
HasValidNode returns true if the underlying node is a valid JavaScript object
type QueryResult ¶
QueryResult is a map of capture names to the corresponding nodes that they matched
func NewQueryResult ¶
func NewQueryResult(nodes ...*Node) QueryResult
NewQueryResult returns a QueryResult containing the provided *Nodes
func (QueryResult) Add ¶
func (qr QueryResult) Add(n *Node)
Add accepts a *Node and adds it to the QueryResult, provided it has a valid CaptureName
func (QueryResult) Get ¶
func (qr QueryResult) Get(captureName string) *Node
Get returns the corresponding *Node for the provided capture name, or nil if no such *Node exists
func (QueryResult) Has ¶
func (qr QueryResult) Has(captureName string) bool
Has returns true if the QueryResult contains a *Node for the provided capture name
type Secret ¶
type Secret struct { Kind string `json:"kind"` Data any `json:"data"` Filename string `json:"filename,omitempty"` Severity Severity `json:"severity"` Context any `json:"context"` }
A Secret represents any secret or otherwise interesting data found within a JavaScript file. E.g. an AWS access key.
type SecretMatcher ¶
A SecretMatcher is a tree-sitter query to find relevant nodes in the parse tree, and a function to inspect those nodes, returning any Secret that is found.
func AllSecretMatchers ¶
func AllSecretMatchers() []SecretMatcher
AllSecretMatchers returns the default list of SecretMatchers
type URL ¶
type URL struct { URL string `json:"url"` QueryParams []string `json:"queryParams"` BodyParams []string `json:"bodyParams"` Method string `json:"method"` Headers map[string]string `json:"headers,omitempty"` ContentType string `json:"contentType,omitempty"` // some description like locationAssignment, fetch, $.post or something like that Type string `json:"type"` // full source/content of the node; is optional Source string `json:"source,omitempty"` // the filename in which the match was found Filename string `json:"filename,omitempty"` }
A URL is any URL found in the source code with accompanying details
type URLMatcher ¶
A URLMatcher has a type of thing it matches against (e.g. assignment_expression), and a function to actually do the matching and producing of the *URL
func AllURLMatchers ¶
func AllURLMatchers() []URLMatcher
AllURLMatchers returns the detault list of URLMatchers
type UserPattern ¶
type UserPattern struct { Name string `json:"name"` Key string `json:"key"` Value string `json:"value"` Severity Severity `json:"severity"` Object []*UserPattern `json:"object"` // contains filtered or unexported fields }
A UserPattern represents a pattern that was provided by a when using the command-line tool. When using the package directly, a SecretMatcher can be created directly instead of creating a UserPattern
func (*UserPattern) MatchKey ¶
func (u *UserPattern) MatchKey(in string) bool
MatchKey returns true if a pattern's key regex matches the supplied value, or if there is no key regex
func (*UserPattern) MatchValue ¶
func (u *UserPattern) MatchValue(in string) bool
MatchValue returns true if a pattern's value regex matches the supplied value, or if there is no value regex.
func (*UserPattern) ParseRegex ¶
func (u *UserPattern) ParseRegex() error
ParseRegex parses all of the user-provided regular expressions for a pattern into Go *regexp.Regexp types
func (*UserPattern) SecretMatcher ¶
func (u *UserPattern) SecretMatcher() SecretMatcher
SecretMatcher returns a SecretMatcher based on the UserPattern, for use with (*Analyzer).AddSecretMatcher()
type UserPatterns ¶
type UserPatterns []*UserPattern
UserPatterns is an alias for a slice of *UserPattern
func ParseUserPatterns ¶
func ParseUserPatterns(r io.Reader) (UserPatterns, error)
ParseUserPatterns accepts an io.Reader pointing to a JSON user-pattern definition file, and returns a list of UserPatterns, and any error that occurred.
func (UserPatterns) SecretMatchers ¶
func (u UserPatterns) SecretMatchers() []SecretMatcher
SecretMatchers returns a slice of SecretMatcher for use with (*Analyzer).AddSecretMatchers()