Merge pull request #426 from owasp-noir/add-actix-web

✨ Add ActixWeb
owasp-noir · Oct 2, 2024 · 8fe20ef · 8fe20ef
2 parents fba30bd + b9bdc94
commit 8fe20ef
Show file tree

Hide file tree

Showing 9 changed files with 124 additions and 0 deletions.
diff --git a/docs/_get_started/supported/language_and_frameworks.md b/docs/_get_started/supported/language_and_frameworks.md
@@ -158,6 +158,12 @@ layout: page
 |-----|--------|-------|--------|--------|----|
 | ✅   | ✅    | ❌    | ❌     | ❌     | ❌ |
 
+### Actix Web
+
+| URL | Method | Param | Header | Cookie | WS |
+|-----|--------|-------|--------|--------|----|
+| ✅   | ✅    | ❌    | ❌     | ❌     | ❌ |
+
 ## Elixir
 
 ### Phoenix

diff --git a/spec/functional_test/fixtures/rust_actix_web/Cargo.toml b/spec/functional_test/fixtures/rust_actix_web/Cargo.toml
@@ -0,0 +1,8 @@
+[package]
+name = "example-hello-world"
+
+[dependencies]
+actix-web = "4.9"
+actix-web-actors = "4.1"
+actix-web-lab = "0.22"
+actix-ws = "0.3"
diff --git a/spec/functional_test/fixtures/rust_actix_web/src/main.rs b/spec/functional_test/fixtures/rust_actix_web/src/main.rs
@@ -0,0 +1,15 @@
+use actix_web::{get, post, web, App, HttpResponse, HttpServer, Responder};
+
+#[get("/")]
+async fn hello() -> impl Responder {
+    HttpResponse::Ok().body("Hello world!")
+}
+
+#[post("/echo")]
+async fn echo(req_body: String) -> impl Responder {
+    HttpResponse::Ok().body(req_body)
+}
+
+async fn manual_hello() -> impl Responder {
+    HttpResponse::Ok().body("Hey there!")
+}
diff --git a/spec/functional_test/testers/rust_actix_web_spec.cr b/spec/functional_test/testers/rust_actix_web_spec.cr
@@ -0,0 +1,11 @@
+require "../func_spec.cr"
+
+extected_endpoints = [
+  Endpoint.new("/", "GET"),
+  Endpoint.new("/echo", "POST"),
+]
+
+FunctionalTester.new("fixtures/rust_actix_web/", {
+  :techs     => 1,
+  :endpoints => extected_endpoints.size,
+}, extected_endpoints).test_all
diff --git a/src/analyzer/analyzer.cr b/src/analyzer/analyzer.cr
@@ -43,6 +43,7 @@ def initialize_analyzers(logger : NoirLogger)
     {"ruby_sinatra", Ruby::Sinatra},
     {"rust_axum", Rust::Axum},
     {"rust_rocket", Rust::Rocket},
+    {"rust_actix_web", Rust::ActixWeb},
   ])
 
   logger.success "#{analyzers.size} Analyzers initialized"

diff --git a/src/analyzer/analyzers/rust/actix_web.cr b/src/analyzer/analyzers/rust/actix_web.cr
@@ -0,0 +1,47 @@
+require "../../../models/analyzer"
+
+module Analyzer::Rust
+  class ActixWeb < Analyzer
+    def analyze
+      # Source Analysis
+      pattern = /#\[(get|post|put|delete|patch)\("([^"]+)"\)\]/
+
+      begin
+        Dir.glob("#{base_path}/**/*") do |path|
+          next if File.directory?(path)
+
+          if File.exists?(path) && File.extname(path) == ".rs"
+            File.open(path, "r", encoding: "utf-8", invalid: :skip) do |file|
+              file.each_line.with_index do |line, index|
+                if line.to_s.includes? "#["
+                  match = line.match(pattern)
+                  if match
+                    begin
+                      route_argument = match[2]
+                      callback_argument = match[1]
+                      details = Details.new(PathInfo.new(path, index + 1))
+                      result << Endpoint.new("#{route_argument}", callback_to_method(callback_argument), details)
+                    rescue
+                    end
+                  end
+                end
+              end
+            end
+          end
+        end
+      rescue e
+      end
+
+      result
+    end
+
+    def callback_to_method(str)
+      method = str.split("(").first
+      if !["get", "post", "put", "delete"].includes?(method)
+        method = "get"
+      end
+
+      method.upcase
+    end
+  end
+end
diff --git a/src/detector/detector.cr b/src/detector/detector.cr
@@ -47,6 +47,7 @@ def detect_techs(base_path : String, options : Hash(String, YAML::Any), passive_
     Ruby::Sinatra,
     Rust::Axum,
     Rust::Rocket,
+    Rust::ActixWeb,
   ])
 
   channel = Channel(String).new

diff --git a/src/detector/detectors/rust/actix_web.cr b/src/detector/detectors/rust/actix_web.cr
@@ -0,0 +1,17 @@
+require "../../../models/detector"
+
+module Detector::Rust
+  class ActixWeb < Detector
+    def detect(filename : String, file_contents : String) : Bool
+      check = file_contents.includes?("actix-web")
+      check = check && file_contents.includes?("dependencies")
+      check = check && filename.includes?("Cargo.toml")
+
+      check
+    end
+
+    def set_name
+      @name = "rust_actix_web"
+    end
+  end
+end
diff --git a/src/techs/techs.cr b/src/techs/techs.cr
@@ -472,6 +472,24 @@ module NoirTechs
         :websocket   => false,
       },
     },
+    :rust_actix_web => {
+      :framework => "Actix Web",
+      :language  => "Rust",
+      :similar   => ["actix-web", "actix_web", "rust-actix-web", "rust_actix_web"],
+      :supported => {
+        :endpoint => true,
+        :method   => true,
+        :params   => {
+          :query  => false,
+          :path   => false,
+          :body   => false,
+          :header => false,
+          :cookie => false,
+        },
+        :static_path => false,
+        :websocket   => false,
+      },
+    },
   }
 
   def self.techs