class DebugTagger

Overview

Flags debug, diagnostic, and internal-only endpoints — debug consoles and toggles, profilers, Spring Boot Actuator, Go net/http/pprof, heap/thread dumps, phpinfo, and /internal APIs. These should not be publicly reachable: they leak environment, config, stack traces, and heap contents, and some allow unsafe diagnostic actions (shutdown, GC, logger changes). Surfacing them points a reviewer at a high-value, frequently-misexposed surface.

Defined in:

tagger/taggers/debug.cr

Constant Summary

INTERNAL_SEGMENTS = Set {"internal", "_internal"}

internal / _internal is matched only as a standalone slash segment (not the -/_ split used elsewhere), so /internal/jobs is flagged but compound business names like /internal-transfer, /internal-notes, or /internalized are not.

STRONG_PARAM_NAMES = Set {"debug", "xdebug", "debug_mode", "debugger", "__debugger__", "xdebug_session", "xdebug_session_start", "xdebug_profile", "xdebug_trigger"}

A debug toggle parameter (?debug=true, ?xdebug=...) flips an endpoint into a debug/verbose mode regardless of its path. __debugger__ is Werkzeug's interactive-console (RCE) marker. The xdebug_session* / xdebug_profile triggers (sent as cookie, GET, or POST param) switch Xdebug into remote-debug or profiling mode — a well-known production exposure.

STRONG_PATH_PARTS = Set {"debug", "debugger", "xdebug", "actuator", "pprof", "heapdump", "heapdumps", "threaddump", "threaddumps", "phpinfo", "profiler", "jolokia", "telescope", "loggers", "configprops", "debugbar", "clockwork", "wdt"}

Unambiguous debug/diagnostic path segments — one is enough. Matched as whole segments after splitting on /, -, _, ., so /__debug__/ and /debug/pprof both yield a debug token, phpinfo.php yields phpinfo, and /actuator/loggers is covered both by actuator and root-path-exposed /loggers.

WEAK_PATH_PARTS = Set {"metrics", "monitor", "monitoring", "diagnostics", "diagnostic", "trace", "traces", "console", "dump", "dumps", "prometheus"}

Weaker, more generic diagnostic segments. These also name ordinary product features (a "metrics" dashboard, a "console" UI), so tag only when two distinct weak tokens co-occur.

Constructors

Instance Method Summary

Instance methods inherited from class Tagger

name : String name, perform(endpoints : Array(Endpoint)) : Array(Endpoint) perform

Constructor methods inherited from class Tagger

new(options : Hash(String, YAML::Any)) new

Constructor Detail

def self.new(options : Hash(String, YAML::Any)) #

[View source]

Instance Method Detail

def perform(endpoints : Array(Endpoint)) #

[View source]