class CryptoTagger

Overview

Flags endpoints that perform cryptographic operations — encryption / decryption, signing / verification, hashing, or key management. These warrant review for weak or obsolete algorithms, padding/signing oracles, static IV/salt/nonce reuse, and key exposure or mismanagement.

key, sign, and verify are deliberately not standalone signals: "API key", "sign in", and "verify email" are overwhelmingly non-crypto. Bare auth routes (/signin, /signup) therefore never match here.

Defined in:

tagger/taggers/crypto.cr

Constant Summary

STRONG_PARAM_NAMES = Set {"plaintext", "ciphertext", "cleartext", "public_key", "private_key", "pubkey", "privkey", "secret_key", "signing_key", "encryption_key", "decryption_key", "passphrase", "pem", "hmac"}

Parameter names that imply a crypto operation on their own (the plaintext/ciphertext payloads, named key material, passphrases).

STRONG_PATH_PARTS = Set {"encrypt", "decrypt", "encryption", "decryption", "cipher", "crypto", "cryptography", "hmac", "jwks", "jwk", "jwt", "jws", "jwe", "keystore", "kms", "pgp", "gpg", "unseal", "x509", "pkcs7", "pkcs8", "pkcs12", "pfx", "aes", "rsa", "dsa", "ecdsa", "ecdh", "ed25519", "ed448", "x25519", "x448", "curve25519", "secp256k1", "sha1", "sha224", "sha256", "sha384", "sha512", "sha3", "keccak", "ripemd", "ripemd160", "md5", "blake2", "blake3", "rc4", "3des", "blowfish", "twofish", "chacha20", "salsa20", "bcrypt", "argon2", "scrypt", "pbkdf2", "hkdf", "totp", "hotp"}

Unambiguous crypto path segments — one is enough. Matched as whole segments after splitting on /, -, _, .. Includes named primitives (aes/rsa/sha256/bcrypt/…) and key-management verbs that carry no benign meaning as a standalone path segment. Legacy/weak algorithms (md5/sha1/rc4/3des/blowfish) are kept on purpose — surfacing an endpoint that still uses one is the point of this tag. Each named primitive carries a digit or is otherwise distinctive enough to never collide with a benign word as a whole path segment.

WEAK_PARAM_NAMES = Set {"signature", "hash", "digest", "algorithm", "salt", "nonce", "checksum", "cipher", "key_id", "kid", "certificate", "cert", "csr"}
WEAK_PATH_PARTS = Set {"signature", "signatures", "signing", "hash", "digest", "checksum", "certificate", "cert", "csr"}

Weaker signals: meaningful for crypto but also seen elsewhere. Tag only when at least two distinct tokens co-occur (across path and params). verify, iv, algo, and fingerprint are intentionally absent — each pairs spuriously with benign tokens (e-sign "verify", invoice "iv", recommendation "algo", device "fingerprint").

Constructors

Instance Method Summary

Instance methods inherited from class Tagger

name : String name, perform(endpoints : Array(Endpoint)) : Array(Endpoint) perform

Constructor methods inherited from class Tagger

new(options : Hash(String, YAML::Any)) new

Constructor Detail

def self.new(options : Hash(String, YAML::Any)) #

[View source]

Instance Method Detail

def perform(endpoints : Array(Endpoint)) #

[View source]