noir

• 🪄 Improve Analyzers
  • Django (Improve REGEX_URL_MAPPING)
  • Spring (Add RouterFunction analyze)
  • Go Echo (Add param analyze)
  • Rails (Add header analyze)
• 🦺 Testing structure refactoring
• 🪲 And fixed bugs :D

I would like to express my infinite gratitude to @ksg97031 once again.

• Fixed #31 (Add exception handling for file access errors in spawn)

Seems like I've almost reached the initially set modest feature scope. I'll be focusing on enhancing detection rates and coverage of techs for the foreseeable future. Nevertheless, turning great ideas into features is always a blast. If you have any cool improvements or ideas, feel free to drop them anytime through issues or discussions!

Release Note

• OAS 3 Support
• Swagger to OAS 2 Name Transition
  • Improve detection
• Header Identification Now Supported in Crystal-Kemal and Ruby-Sinatra
• Elevating Code Quality

OAS3

Swagger to OAS2

I've aligned the naming similarly to OAS2 with the introduction of OAS3 support.

  oas2
    format: ["JSON", "YAML"]
    similar: ["oas 2.0", "oas_2_0", "swagger 2.0", "swagger_2_0", "swagger"]
  oas3
    format: ["JSON", "YAML"]
    similar: ["oas 3.0", "oas_3_0"]

Header Identifications

Example for Kemal Analyzer / In the default format, headers are displayed in green.

And..

I'd like to extend my heartfelt thanks to all the contributors and everyone who provided feedback :D

Noir now supports Swagger analysis. When Swagger documents are detected in the target source code, the tool analyzes those files to identify and extract endpoints.

Release note

• Support Swagger Analysis
  • Module: Detector, Analyzer
  • Format: JSON, YAML
• Improve codes (Kemal detector, spec codes)
• Using crystal's --production flags in the release process

Swagger Analysis

For Contributors

Now, information can be stored and retrieved through the CodeLocator.instance (singleton instance). It is primarily used for data communication between detectors and analyzers, which helps reduce redundant tasks.

# Code1
locator = CodeLocator.instance
locator.set("swagger-json", filename)
# if filename is 'docs.json'

# Code2
puts locator.get("swagger-json")
# docs.json

Summary

• Add --exclude-techs flag
• A module for handling similar word processing for tech and managing techs has been added.
• Changed --techs-list to --list-techs for consistency with other flags.

Exclude techs

You can now force the technology to be ignored.

And, Similar languages are also handled.

--exclude-techs Rails
--exclude-techs ruby-rails
--exclude-techs rails

# All of the above flags disable ruby_rails.

Techs

Now, the technology list is managed with additional metadata information included.
So the --list-techs flag has also been modified accordingly.

• Fixed bugs https://github.com/hahwul/noir/pull/18 ( by @ksg97031 )

  • Invalid UTF-8 characters can cause regex to crash (ref: https://github.com/crystal-lang/crystal/issues/13237).
  • Django analyzer's failure to properly append URL prefixes.
  • Spring analyzer can scan non-Java files, which can lead to a crash.
  • Spring analyzer can't identify cases where the path is empty, using the example at https://github.com/ksg97031/spring-demo/blob/main/src/main/java/com/example/demo/controller/TestController2.java#L8-L16.

• Fixed a bug where some techniques were missing from the --techs-list flag

• Improve spring analyzer https://github.com/hahwul/noir/pull/14
• Improve go-echo analyzer https://github.com/hahwul/noir/commit/394e1abc15ca346aa154fe5803c595379bf0d7f5

P.S.
In addition to the endpoints defined by the programming language, we intend to trace endpoints by scanning files generated within the source code directory. For instance, utilizing OpenAPI files :D

• Improve django analyzer (by @ksg97031)
  • Issue: https://github.com/hahwul/noir/issues/9
  • PR: https://github.com/hahwul/noir/pull/13

Improve django analyzer

• Improve code structure
• Support param in crystal-kemal, ruby-sinatra
• Add Endpoint Reference Type for Code Analysis

• Add new endpoint type: ws websocket
• Add new detector and analyzer: crystal-kemal
• Improve analyzers: rails, spring

ws endpoint type

crystal kemal

tested it with xssmaze.

First release 😎
and I extend my gratitude to the first contributor, nil (@ksg97031)! Thank you for your valuable contribution!