Merge pull request #250 from noir-cr/dev

Release v0.13.0

Author: hahwul

.github/workflows/snapcraft_publish.yml

@@ -0,0 +1,36 @@
+name: Snapcraft tab Publish
+
+on:
+  release:
+    types: [published]
+  
+jobs:
+  snapcraft-releaser:
+    runs-on: ubuntu-latest
+    name: snapcraft-releaser
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+        - amd64
+        - arm64
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v3
+
+      - uses: diddlesnaps/snapcraft-multiarch-action@v1
+        with:
+          path: stores/snapcraft/stable
+          architecture: ${{ matrix.platform }}
+        id: build
+
+      - uses: diddlesnaps/snapcraft-review-action@v1
+        with:
+          snap: ${{ steps.build.outputs.snap }}
+
+      - uses: snapcore/action-publish@master
+        env:
+          SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAP_STORE_LOGIN }}
+        with:
+          snap: ${{ steps.build.outputs.snap }}
+          release: stable

shard.yml

@@ -1,5 +1,5 @@
 name: noir
-version: 0.12.2
+version: 0.13.0
 
 authors:
   - hahwul <hahwul@gmail.com>

snap/snapcraft.yaml

@@ -0,0 +1,41 @@
+name: noir
+base: core20
+version: 0.13.0
+summary: Attack surface detector that identifies endpoints by static analysis.
+description: |
+  Noir is your ally in the quest for digital fortification. 
+  A cutting-edge attack surface detector, it unveils hidden endpoints through meticulous static analysis.
+
+grade: stable # must be 'stable' to release into candidate/stable channels
+confinement: strict # use 'strict' once you have the right plugs and slots
+license: MIT
+
+apps:
+  noir:
+    command: noir
+
+parts:
+  noir:
+    source: ./
+    plugin: nil #crystal
+    #crystal-channel: latest/stable
+    override-build: |
+      curl -fsSL https://crystal-lang.org/install.sh | sudo bash
+      snapcraftctl pull
+      shards install
+      shards build --release
+      cp ./bin/noir $SNAPCRAFT_PART_INSTALL/
+      snapcraftctl build
+    build-packages:
+      - git
+      - libssl-dev
+      - libxml2-dev
+      - libz-dev
+      - libyaml-dev
+      - libpcre2-dev
+      - libevent-dev
+      - libgmp-dev
+    stage-packages:
+      - libssl1.1
+      - libxml2
+      - libevent-2.1-7

spec/functional_test/fixtures/go_echo/server.go

@@ -25,6 +25,16 @@ func main() {
 		_ = c.FormValue("name")
 		return c.String(http.StatusOK, "Hello, Pet!")
 	})
+	mygroup := e.Group("/admin")
+	mygroup.GET("/users", func(c echo.Context) error {
+		return c.String(http.StatusOK, "Hello, Pet!")
+	})
+
+	v1 := mygroup.Group("/v1")
+	v1.GET("/migration", func(c echo.Context) error {
+		return c.String(http.StatusOK, "Hello, Pet!")
+	})
+
 	e.Static("/public", "public")
 	e.Static("/public", "./public2")
 	e.Static("/public", "/public3")

spec/functional_test/fixtures/go_fiber/server.go

@@ -28,6 +28,16 @@ func main() {
 		// Websocket logic
 	}))
 
+	mygroup := app.Group("/admin")
+	mygroup.Get("/users", func(c *fiber.Ctx) error {
+		return c.SendString(msg) // => ✋ register
+	})
+
+	v1 := mygroup.Group("/v1")
+	v1.Get("/migration", func(c *fiber.Ctx) error {
+		return c.SendString(msg) // => ✋ register
+	})
+
 	app.Static("/", "/public")
 
 	log.Fatal(app.Listen(":3000"))

spec/functional_test/fixtures/go_gin/server.go

@@ -27,6 +27,16 @@ func main() {
 		c.String(http.StatusOK, "Submitted data: Username=%s, Password=%s, userAgent=%s", username, password, userAgent)
 	})
 
+	users := r.Group("/group")
+	users.GET("/users", func(c *gin.Context) {
+		c.JSON(http.StatusOK, "users")
+	})
+
+	v1 := users.Group("/v1")
+	v1.GET("/migration", func(c *gin.Context) {
+		c.JSON(http.StatusOK, "users")
+	})
+
 	r.Static("/public", "public")
 	r.Run() // listen and serve on 0.0.0.0:8080 (for windows "localhost:8080")
 }

spec/functional_test/fixtures/java_spring/.gitignore

@@ -0,0 +1 @@
+.gradle

spec/functional_test/fixtures/java_spring/src/HttpServletRequest.java

@@ -0,0 +1,22 @@
+package com.test;
+import javax.servlet.http.HttpServletRequest;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class MyController {
+
+    @GetMapping("/greet")
+    public String greet(HttpServletRequest request) {
+        String name = request.getParameter("name");
+        if (name == null || name.isEmpty()) {
+            name = "World";
+        }
+
+        String header = request.getHeader("header");
+        if (header == null || header.isEmpty()) {
+            header = "!";
+        }
+        return "Hello, " + name + header;
+    }
+}

spec/functional_test/fixtures/java_spring/src/ItemController.java

@@ -1,11 +1,14 @@
+package com.test;
 import org.springframework.web.bind.annotation.*;
+import a.b.c.bind.annotation.*;
+import org.springframework.c.d.e.*;
 
 @RestController
 @RequestMapping("/items")
 public class ItemController {
 
     @GetMapping("/{id}")
-    public Item getItem(@PathVariable Long id) {
+    public Item getItem(@PathVariable Long id) throws ItemNotFoundException {
     }
 
     @PostMapping
@@ -23,4 +26,25 @@ public void deleteItem(@PathVariable Long id) {
     @GetMapping("/json/{id}", produces = [MediaType.APPLICATION_JSON_VALUE])
     public void getItemJson(){       
     }
+}
+
+class Item {
+    int id;
+    String name;
+
+    public void setId(int _id) {
+        id = _id;
+    }
+
+    public int getId() {
+        return id;
+    }
+
+    public void setName(String _name) {
+        name = _name;
+    }
+
+    public String getName() {
+        return name;
+    }
 }

spec/functional_test/fixtures/java_spring/src/RequestParam.java

@@ -0,0 +1,13 @@
+package com.test;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class MyController {
+
+    @GetMapping("/greet2")
+    public String greet2(@RequestParam("myname") String a, @RequestParam("b") int b, String name) {
+        return "Hello, " + a + b"!";
+    }
+}

spec/functional_test/fixtures/kotlin_spring/.gitignore

@@ -0,0 +1 @@
+.gradle

spec/functional_test/testers/go_echo_spec.cr

@@ -17,9 +17,11 @@ extected_endpoints = [
   Endpoint.new("/public/secret.html", "GET"),
   Endpoint.new("/public/mob.txt", "GET"),
   Endpoint.new("/public/coffee.txt", "GET"),
+  Endpoint.new("/admin/users", "GET"),
+  Endpoint.new("/admin/v1/migration", "GET"),
 ]
 
 FunctionalTester.new("fixtures/go_echo/", {
   :techs     => 1,
-  :endpoints => 7,
+  :endpoints => 9,
 }, extected_endpoints).test_all

spec/functional_test/testers/go_fiber_spec.cr

@@ -12,9 +12,11 @@ extected_endpoints = [
   ]),
   Endpoint.new("/secret.html", "GET"),
   Endpoint.new("/ws", "GET"),
+  Endpoint.new("/admin/users", "GET"),
+  Endpoint.new("/admin/v1/migration", "GET"),
 ]
 
 FunctionalTester.new("fixtures/go_fiber/", {
   :techs     => 1,
-  :endpoints => 4,
+  :endpoints => 6,
 }, extected_endpoints).test_all

spec/functional_test/testers/go_gin_spec.cr

@@ -14,9 +14,11 @@ extected_endpoints = [
     Param.new("User-Agent", "", "header"),
   ]),
   Endpoint.new("/public/secret.html", "GET"),
+  Endpoint.new("/group/users", "GET"),
+  Endpoint.new("/group/v1/migration", "GET"),
 ]
 
 FunctionalTester.new("fixtures/go_gin/", {
   :techs     => 1,
-  :endpoints => 4,
+  :endpoints => 6,
 }, extected_endpoints).test_all

spec/functional_test/testers/java_spring_spec.cr

@@ -16,12 +16,21 @@ extected_endpoints = [
   # ItemController.java
   Endpoint.new("/items/{id}", "GET"),
   Endpoint.new("/items/json/{id}", "GET"),
-  Endpoint.new("/items", "POST"),
-  Endpoint.new("/items/update/{id}", "PUT"),
+  Endpoint.new("/items", "POST", [Param.new("id", "", "form"), Param.new("name", "", "form")]),
+  Endpoint.new("/items/update/{id}", "PUT", [Param.new("id", "", "json"), Param.new("name", "", "json")]),
   Endpoint.new("/items/delete/{id}", "DELETE"),
+  Endpoint.new("/greet", "GET", [
+    Param.new("name", "", "query"),
+    Param.new("header", "", "header"),
+  ]),
+  Endpoint.new("/greet2", "GET", [
+    Param.new("myname", "", "query"),
+    Param.new("b", "", "query"),
+    Param.new("name", "", "query"),
+  ]),
 ]
 
 FunctionalTester.new("fixtures/java_spring/", {
   :techs     => 1,
-  :endpoints => 15,
+  :endpoints => 17,
 }, extected_endpoints).test_all

spec/unit_test/analyzer/analyzer_go_echo_spec.cr

@@ -4,33 +4,34 @@ require "../../../src/options"
 describe "analyzer_go_echo" do
   options = default_options()
   instance = AnalyzerGoEcho.new(options)
+  groups = [] of Hash(String, String)
 
   it "instance.get_route_path - GET" do
-    instance.get_route_path("e.GET(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.GET(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - POST" do
-    instance.get_route_path("e.POST(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.POST(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - PUT" do
-    instance.get_route_path("e.PUT(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.PUT(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - DELETE" do
-    instance.get_route_path("e.DELETE(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.DELETE(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - PATCH" do
-    instance.get_route_path("e.PATCH(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.PATCH(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - HEAD" do
-    instance.get_route_path("e.HEAD(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.HEAD(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - OPTIONS" do
-    instance.get_route_path("e.OPTIONS(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("e.OPTIONS(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - customContext1" do
-    instance.get_route_path("customEnv.OPTIONS(\"/\", func(c echo.Context) error {").should eq("/")
+    instance.get_route_path("customEnv.OPTIONS(\"/\", func(c echo.Context) error {", groups).should eq("/")
   end
   it "instance.get_route_path - customContext2" do
-    instance.get_route_path("customEnv.OPTIONS(\"/\", func(myContext echo.Context) error {").should eq("/")
+    instance.get_route_path("customEnv.OPTIONS(\"/\", func(myContext echo.Context) error {", groups).should eq("/")
   end
 
   it "instance.get_static_path - Static" do

spec/unit_test/analyzer/analyzer_spring_spec.cr spec/unit_test/analyzer/analyzer_kotlin_spring_spec.cr

@@ -1,9 +1,9 @@
-require "../../../src/analyzer/analyzers/analyzer_spring.cr"
+require "../../../src/analyzer/analyzers/analyzer_kotlin_spring.cr"
 require "../../../src/options"
 
 describe "mapping_to_path" do
   options = default_options()
-  instance = AnalyzerSpring.new(options)
+  instance = AnalyzerKotlinSpring.new(options)
 
   it "mapping_to_path - GET" do
     instance.mapping_to_path("@GetMapping(\"/abcd\")").should eq(["/abcd"])
@@ -72,7 +72,7 @@ end
 
 describe "utils func" do
   options = default_options()
-  instance = AnalyzerSpring.new(options)
+  instance = AnalyzerKotlinSpring.new(options)
 
   it "is_bracket - true" do
     instance.is_bracket("{abcd=1234}").should eq(true)

spec/unit_test/detector/detect_kotlin_spring_spe_spec.cr

@@ -0,0 +1,10 @@
+require "../../../src/detector/detectors/*"
+
+describe "Detect Java Spring" do
+  options = default_options()
+  instance = DetectorKotlinSpring.new options
+
+  it "build.gradle.kts" do
+    instance.detect("build.gradle.kts", "'org.springframework.boot' version '2.6.2'").should eq(true)
+  end
+end