class Analyzer::Java::Jsp

Defined in:

analyzer/analyzers/java/jsp.cr

Constant Summary

INTERNAL_ATTRIBUTE_PREFIXES = ["javax.servlet.", "jakarta.servlet.", "javax.faces.", "jakarta.faces.", "org.springframework.", "org.apache.", "org.eclipse.jetty.", "org.glassfish.", "com.sun.", "weblogic.", "io.undertow."]

Container- and framework-managed request attributes. These are populated by the servlet engine, filters or the MVC layer — never by user input — so request.getAttribute("javax.servlet....") must not be reported as a request parameter.

SERVLET_DO_METHOD_PATTERNS = {"Get" => "GET", "Post" => "POST", "Put" => "PUT", "Delete" => "DELETE", "Patch" => "PATCH", "Head" => "HEAD", "Options" => "OPTIONS"}.map do |suffix, method| {method, /\bvoid\s+do#{suffix}\s*\(([^)]*)\)\s*(?:throws[^{]+)?\{/m} end

Crystal recompiles an interpolated regex literal on every evaluation (a full PCRE2 JIT compile). The doGet/doPost/... probe set is fixed, so precompile it once at load time.

WEBAPP_ROOT_MARKERS = ["src/main/webapp/", "src/main/resources/META-INF/resources/", "WebContent/", "WebRoot/"]

A JSP is served relative to the WEB application root, not the repo root. src/main/webapp/jsp/index.jsp is reachable at /jsp/index.jsp, so strip the build-layout webapp-root prefix; otherwise the whole source path (/libraries-otel/.../src/main/webapp/index.jsp) leaked into the URL.

Instance Method Summary

Instance methods inherited from class Analyzer

analyze analyze, base_path : String base_path, base_paths : Array(String) base_paths, callees_needed? : Bool callees_needed?, logger : NoirLogger logger, parallel_analyze(files : Array(String), &block : String -> Nil) parallel_analyze, read_file_content(path : String) : String read_file_content, result : Array(Endpoint) result, url : String url

Constructor methods inherited from class Analyzer

new(options : Hash(String, YAML::Any)) new

Macros inherited from class Analyzer

define_getter_methods(names) define_getter_methods

Instance methods inherited from module FileHelper

all_files : Array(String) all_files, get_files_by_extension(extension : String) : Array(String) get_files_by_extension, get_files_by_prefix(prefix : String) : Array(String) get_files_by_prefix, get_files_by_prefix_and_extension(prefix : String, extension : String) : Array(String) get_files_by_prefix_and_extension, get_public_dir_files(base_path : String, folder : String) : Array(String) get_public_dir_files, get_public_files(base_path : String, anchors : Array(String) = ["shard.yml", "Gemfile"]) : Array(String) get_public_files

Instance Method Detail

def allow_patterns #

[View source]
def analyze #

[View source]
def extract_params(content : String) : Array(Param) #

[View source]
def internal_servlet_attribute?(name : String) : Bool #

[View source]