route-detect icon indicating copy to clipboard operation
route-detect copied to clipboard

Published 20 hours ago verified publisher icon mschwager

Browser viz is hiding route paths for Java Spring in title

Open Gby56 opened this issue 1 year ago • 4 comments

Thanks for this cool tool ! Was actually playing with a similar idea using semgrep :)

I think the "title" in the semgrepData JSON object is super long for some semgrep detections, and D3 is only showing me the @Operation, because the rest of the string has \n line breaks

If I remove the \n manually it doesn't fix it, hovering the cursor above a route will show the whole semgrep finding, including the URL mapping !

Not sure how this should be fixed, I would definitely put the RequestMapping above everything else cause that's the API route

EDIT: Alright I think the secret sauce is in d3ify https://github.com/mschwager/route-detect/blob/2804595b53657a660e530bf9f81864ded653ef9a/routes/commands/viz.py#L85 So maybe splitting the result lines further and extracting specific things, per language/framework, to have the route shown in D3

Maybe a generic regex extractor that can support all the framework ways of declaring URLs/paths ? that way it could extract the path everytime

Gby56 avatar Aug 08 '23 13:08 Gby56

Okay, small update: Struggled a bit to setup the debugger on VSCode, but I finally got it working by selecting the poetry Python interpreter, otherwise it wouldn't use breakpoints in the viz.py file Once I got that working, I noticed there is a notion of "NORMALIZER" in the code, only for rails. It looks like it's using regexes, so I think that's the thing that extracts some info for edge cases ? Also I'm realizing that the semgrep rules themselves don't extract the URLs/paths defined in the route mappings, since it's using ... ellipse operators, so I understand why it's hard to extract these now.

Gby56 avatar Aug 09 '23 09:08 Gby56

Update: been trying to make a new kind of Normalizer, called "extractor" to really get the exact route defined instead of just the semgrep lines. Using regex it's definitely horrible, I wonder if semgrep could extract the path for us ? In Spring you can do a simple @RequestMapping and not specify the path= variable I think, which is challenging

Gby56 avatar Aug 09 '23 10:08 Gby56

Adding a new semgrep variable like $ROUTE in the spring rules could help grabbing the routes easily https://github.com/mschwager/route-detect/blob/main/routes/rules/spring.yml#L6C28-L6C28

              - pattern: |
                  @$METHOD(path = $PATH)
                  $RETURNTYPE $FUNC(...) { ... }
...
...
...
    metadata:
      references:
        - https://www.baeldung.com/spring-security-method-security
      route-detect:
        fill: red
        route_extractor: spring
        route: $PATH

Then you could reuse that information simply in generating the d3 graph

Gby56 avatar Aug 09 '23 14:08 Gby56

Hi there!

Sorry, I've been quite busy lately. I will try to find some time to review the issues and PRs you've opened :+1:

mschwager avatar Aug 11 '23 20:08 mschwager