class ApiDocsTagger

Overview

Flags API documentation / schema endpoints — Swagger UI, OpenAPI/JSON specs, GraphiQL, ReDoc, RapiDoc, WSDL/WADL, Spring …/api-docs. These expose the full API surface (every route, parameter, and model) and are very frequently reachable without authentication, so they are a high-value recon target and an information-disclosure risk.

Defined in:

tagger/taggers/api_docs.cr

Constant Summary

DOC_SEGMENTS = Set {"swagger", "swagger-ui", "swagger-resources", "openapi", "openapi3", "redoc", "graphiql", "rapidoc", "wsdl", "wadl", "api-docs", "api-doc", "asyncapi", "api-json", "api-yaml", "apispec", "apispec_1", "openid-configuration", "oauth-authorization-server", "oauth-protected-resource", "smart-configuration"}

Matched against slash/dot-delimited segments (hyphens and underscores kept inside a segment) so /swagger-ui.html, /v3/api-docs, and /openapi.json are all recognized while a generic /docs documentation site is not (FastAPI apps are still caught via /openapi.json / /redoc).

DOC_SEGMENTS_NORMALIZED = DOC_SEGMENTS.map(&.gsub(/[-_]/, "")).to_set

Separator-insensitive lookup so /swagger_ui, /swaggerui, /open-api, and /api_docs all match regardless of whether the source used -, _, or no separator at all.

Constructors

Instance Method Summary

Instance methods inherited from class Tagger

name : String name, perform(endpoints : Array(Endpoint)) : Array(Endpoint) perform

Constructor methods inherited from class Tagger

new(options : Hash(String, YAML::Any)) new

Constructor Detail

def self.new(options : Hash(String, YAML::Any)) #

[View source]

Instance Method Detail

def perform(endpoints : Array(Endpoint)) #

[View source]