Add Dart dart:io HttpServer analyzer (#2151)

* Add Dart HttpServer analyzer

* Fix Dart HttpServer route scoping

Author: hahwul

spec/functional_test/fixtures/dart/http/bin/server.dart

@@ -0,0 +1,60 @@
+import 'dart:convert';
+import 'dart:io';
+
+Future<void> main() async {
+  final server = await HttpServer.bind(InternetAddress.loopbackIPv4, 8080);
+
+  await for (final HttpRequest request in server) {
+    if (request.method == 'GET' && request.uri.path == '/health') {
+      final name = request.uri.queryParameters['name'];
+      final traceId = request.headers.value('X-Trace-Id');
+      final session = request.cookies.firstWhere((cookie) => cookie.name == 'session');
+      _writeText(request, 'healthy $name $traceId ${session.value}');
+    } else if (request.uri.path == '/users' && request.method == 'POST') {
+      final body = await utf8.decoder.bind(request).join();
+      _writeText(request, body);
+    } else if (request.method == 'PATCH') {
+      if (request.uri.path == '/profiles') {
+        final mode = request.headers['X-Profile-Mode'];
+        _writeText(request, 'profile $mode');
+      }
+    }
+
+    if (request.uri.path.startsWith('/files/')) {
+      _writeText(request, 'file');
+    }
+
+    if (request.uri.path == '/reports') {
+      if (request.method == 'DELETE') {
+        _writeText(request, 'deleted');
+      }
+    }
+
+    if (request.method == 'POST') {
+      final uploadBody = await utf8.decoder.bind(request).join();
+      if (request.uri.path == '/uploads') {
+        _writeText(request, uploadBody);
+      }
+    }
+
+    switch (request.method) {
+      case 'PUT':
+        if (request.uri.path == '/switch-users') {
+          _writeText(request, 'updated');
+        }
+        break;
+    }
+
+    switch (request.uri.path) {
+      case '/status':
+        _writeText(request, 'ok');
+        break;
+    }
+  }
+}
+
+void _writeText(HttpRequest request, String body) {
+  request.response
+    ..headers.contentType = ContentType.text
+    ..write(body);
+}

spec/functional_test/fixtures/dart/http/test/server_test.dart

@@ -0,0 +1,6 @@
+import 'dart:io';
+
+void main() {
+  final fake = '/test-only';
+  print('${HttpServer.bind} $fake');
+}

spec/functional_test/testers/dart/http_spec.cr

@@ -0,0 +1,42 @@
+require "../../func_spec.cr"
+
+expected_endpoints = [
+  Endpoint.new("/health", "GET", [
+    Param.new("name", "", "query"),
+    Param.new("X-Trace-Id", "", "header"),
+    Param.new("session", "", "cookie"),
+  ]),
+  Endpoint.new("/users", "POST", [
+    Param.new("body", "", "json"),
+  ]),
+  Endpoint.new("/profiles", "PATCH", [
+    Param.new("X-Profile-Mode", "", "header"),
+  ]),
+  Endpoint.new("/files", "GET"),
+  Endpoint.new("/reports", "DELETE"),
+  Endpoint.new("/uploads", "POST", [
+    Param.new("body", "", "json"),
+  ]),
+  Endpoint.new("/switch-users", "PUT"),
+  Endpoint.new("/status", "GET"),
+]
+
+tester = FunctionalTester.new("fixtures/dart/http/", {
+  :techs     => 1,
+  :endpoints => expected_endpoints.size,
+}, expected_endpoints)
+tester.perform_tests
+
+it "does not leak pre-route body reads into previous endpoints" do
+  reports = tester.app.endpoints.find { |found| found.url == "/reports" && found.method == "DELETE" }
+  reports.should_not be_nil
+  reports.try do |endpoint|
+    endpoint.params.any? { |param| param.name == "body" && param.param_type == "json" }.should be_false
+  end
+
+  uploads = tester.app.endpoints.find { |found| found.url == "/uploads" && found.method == "POST" }
+  uploads.should_not be_nil
+  uploads.try do |endpoint|
+    endpoint.params.any? { |param| param.name == "body" && param.param_type == "json" }.should be_true
+  end
+end

spec/unit_test/detector/dart/http_spec.cr

@@ -0,0 +1,53 @@
+require "../../../spec_helper"
+require "../../../../src/detector/detectors/dart/*"
+
+describe "Detect Dart HttpServer" do
+  options = create_test_options
+  instance = Detector::Dart::Http.new options
+
+  it "detects dart io HttpServer usage" do
+    content = <<-DART
+      import 'dart:io';
+
+      Future<void> main() async {
+        final server = await HttpServer.bind(InternetAddress.loopbackIPv4, 8080);
+        await for (final HttpRequest request in server) {
+          request.response.write('ok');
+        }
+      }
+      DART
+    instance.detect("bin/server.dart", content).should be_true
+  end
+
+  it "detects aliased dart io HttpServer usage" do
+    content = <<-DART
+      import 'dart:io' as io;
+
+      Future<void> main() async {
+        final server = await io.HttpServer.bind(io.InternetAddress.loopbackIPv4, 8080);
+        server.listen((io.HttpRequest request) {});
+      }
+      DART
+    instance.detect("bin/server.dart", content).should be_true
+  end
+
+  it "does not detect unrelated dart io usage" do
+    content = <<-DART
+      import 'dart:io';
+
+      void main() {
+        final file = File('README.md');
+        print(file.path);
+      }
+      DART
+    instance.detect("bin/tool.dart", content).should be_false
+  end
+
+  it "does not detect HttpServer without dart io import" do
+    instance.detect("bin/server.dart", "void main() { print('HttpServer'); }").should be_false
+  end
+
+  it "does not detect non Dart files" do
+    instance.detect("notes.txt", "import 'dart:io'; HttpServer.bind();").should be_false
+  end
+end

src/analyzer/analyzer.cr

@@ -39,6 +39,7 @@ def initialize_analyzers(logger : NoirLogger)
     {"dart_angel3", Dart::Angel3},
     {"dart_get_server", Dart::GetServer},
     {"dart_frog", Dart::DartFrog},
+    {"dart_http", Dart::Http},
     {"dart_serverpod", Dart::Serverpod},
     {"dart_shelf", Dart::Shelf},
     {"elixir_bandit", Elixir::Bandit},