owasp-noir
diff --git a/‎spec/unit_test/miniparser/http4k_extractor_ts_spec.cr‎
Lines changed: 74 additions & 0 deletions b/‎spec/unit_test/miniparser/http4k_extractor_ts_spec.cr‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎spec/unit_test/miniparser/kotlin_ktor_route_extractor_ts_spec.cr‎
Lines changed: 80 additions & 0 deletions b/‎spec/unit_test/miniparser/kotlin_ktor_route_extractor_ts_spec.cr‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎src/analyzer/analyzers/kotlin/http4k.cr‎
Lines changed: 18 additions & 1 deletion b/‎src/analyzer/analyzers/kotlin/http4k.cr‎
Lines changed: 18 additions & 1 deletion
diff --git a/‎src/analyzer/analyzers/kotlin/ktor.cr‎
Lines changed: 24 additions & 1 deletion b/‎src/analyzer/analyzers/kotlin/ktor.cr‎
Lines changed: 24 additions & 1 deletion
@@ -0,0 +1,74 @@
+require "spec"
+require "../../../src/miniparsers/http4k_extractor_ts"
+
+describe Noir::TreeSitterHttp4kExtractor do
+  it "resolves constant and templated route paths" do
+    source = <<-KT
+      package com.example
+
+      import org.http4k.core.Method.GET
+      import org.http4k.core.Response
+      import org.http4k.core.Status.Companion.OK
+      import org.http4k.routing.bind
+      import org.http4k.routing.routes
+
+      object Paths {
+          const val API = "/api"
+      }
+
+      const val USERS = "/users"
+
+      val app = routes(
+          Paths.API bind routes(
+              (USERS + "/{id}") bind GET to { req -> Response(OK) },
+              "/tenants/$tenantId/items" bind GET to { req -> Response(OK) }
+          )
+      )
+      KT
+
+    constants = Noir::TreeSitterHttp4kExtractor.extract_string_constants(source)
+    routes = Noir::TreeSitterHttp4kExtractor.extract_routes(source, constants)
+    routes.map { |r| {r.verb, r.path} }.should eq([
+      {"GET", "/api/users/{id}"},
+      {"GET", "/api/tenants/{tenantId}/items"},
+    ])
+  end
+
+  it "does not resolve route paths from project-wide bare constants" do
+    source = <<-KT
+      import org.http4k.core.Method.GET
+      import org.http4k.core.Response
+      import org.http4k.core.Status.Companion.OK
+      import org.http4k.routing.bind
+      import org.http4k.routing.routes
+
+      val app = routes(
+          USERS bind GET to { req -> Response(OK) }
+      )
+      KT
+
+    routes = Noir::TreeSitterHttp4kExtractor.extract_routes(source, {
+      "USERS" => "/wrong",
+    })
+    routes.should be_empty
+  end
+
+  it "does not drop qualifiers when resolving route constants" do
+    source = <<-KT
+      import org.http4k.core.Method.GET
+      import org.http4k.core.Response
+      import org.http4k.core.Status.Companion.OK
+      import org.http4k.routing.bind
+      import org.http4k.routing.routes
+
+      val app = routes(
+          Other.API bind GET to { req -> Response(OK) }
+      )
+      KT
+
+    routes = Noir::TreeSitterHttp4kExtractor.extract_routes(source, {
+      "API" => "/wrong",
+    })
+    routes.should be_empty
+  end
+end
@@ -87,6 +87,62 @@ describe Noir::TreeSitterKotlinKtorRouteExtractor do
     ])
   end
 
+  it "resolves constant and templated route paths" do
+    source = <<-KT
+      package com.example
+
+      object Paths {
+          const val API = "/api"
+      }
+
+      const val USERS = "/users"
+
+      routing {
+          route(Paths.API + "/v1") {
+              get(USERS) { }
+              get("/tenants/$tenantId/items") { }
+          }
+      }
+      KT
+
+    constants = Noir::TreeSitterKotlinKtorRouteExtractor.extract_string_constants(source)
+    routes = Noir::TreeSitterKotlinKtorRouteExtractor.extract_routes(source, constants)
+    routes.map { |r| {r.verb, r.path} }.should eq([
+      {"GET", "/api/v1/users"},
+      {"GET", "/api/v1/tenants/{tenantId}/items"},
+    ])
+  end
+
+  it "does not resolve route paths from project-wide bare constants" do
+    source = <<-KT
+      routing {
+          get(USERS) { }
+          route(API) {
+              get("/nested") { }
+          }
+      }
+      KT
+
+    routes = Noir::TreeSitterKotlinKtorRouteExtractor.extract_routes(source, {
+      "USERS" => "/wrong-users",
+      "API"   => "/wrong-api",
+    })
+    routes.should be_empty
+  end
+
+  it "does not drop qualifiers when resolving route constants" do
+    source = <<-KT
+      routing {
+          get(Other.API) { }
+      }
+      KT
+
+    routes = Noir::TreeSitterKotlinKtorRouteExtractor.extract_routes(source, {
+      "API" => "/wrong",
+    })
+    routes.should be_empty
+  end
+
   it "treats install(RoutingRoot) as a routing entry point" do
     source = <<-KT
       fun Application.module() {
@@ -183,6 +239,30 @@ describe Noir::TreeSitterKotlinKtorRouteExtractor do
       route.header_params.should eq(["X-API-Key", "Authorization"])
     end
 
+    it "captures common query, header, body, and form access variants" do
+      source = <<-KT
+        routing {
+            post("/profile") {
+                val query = call.request.queryParameters["preview"]
+                val page = call.request.queryParameters.get("page")
+                val id = call.parameters.get("id")
+                val apiKey = call.request.headers.get("X-API-Key")
+                val auth = call.request.header("Authorization")
+                val form = call.receiveParameters()
+                val email = form["email"]
+                val phone = form.get("phone")
+                val body = call.receiveText()
+            }
+        }
+        KT
+
+      route = Noir::TreeSitterKotlinKtorRouteExtractor.extract_routes(source).first
+      route.has_body?.should be_true
+      route.query_params.should eq(["preview", "page", "id"])
+      route.header_params.should eq(["X-API-Key", "Authorization"])
+      route.form_params.should eq(["email", "phone"])
+    end
+
     it "ignores params on sibling routes" do
       source = <<-KT
         routing {
 
@@ -10,6 +10,19 @@ module Analyzer::Kotlin
     def analyze
       include_callee = any_to_bool(@options["include_callee"]?) || any_to_bool(@options["ai_context"]?)
       file_list = all_files()
+      string_constants = Hash(String, String).new
+      file_list.each do |path|
+        next unless File.exists?(path)
+        next unless path.ends_with?(".#{KOTLIN_EXTENSION}")
+        next if KotlinEngine.test_path?(path)
+
+        Noir::TreeSitterHttp4kExtractor.extract_string_constants(read_file_content(path)).each do |name, value|
+          next unless fully_qualified_constant?(name)
+
+          string_constants[name] ||= value
+        end
+      end
+
       file_list.each do |path|
         next unless File.exists?(path)
         next unless path.ends_with?(".#{KOTLIN_EXTENSION}")
@@ -18,7 +31,7 @@ module Analyzer::Kotlin
         content = read_file_content(path)
         next unless content.includes?(HTTP4K_MARKER)
 
-        Noir::TreeSitterHttp4kExtractor.extract_routes(content, include_callees: include_callee).each do |route|
+        Noir::TreeSitterHttp4kExtractor.extract_routes(content, string_constants, include_callees: include_callee).each do |route|
           @result << build_endpoint(route, path)
         end
       end
@@ -27,6 +40,10 @@ module Analyzer::Kotlin
       @result
     end
 
+    private def fully_qualified_constant?(name : String) : Bool
+      name.count('.') >= 2
+    end
+
     private def build_endpoint(route : Noir::TreeSitterHttp4kExtractor::Route, path : String) : Endpoint
       params = [] of Param
       route.query_params.each { |name| params << Param.new(name, "", "query") }
 
@@ -9,6 +9,19 @@ module Analyzer::Kotlin
     def analyze
       include_callee = any_to_bool(@options["include_callee"]?) || any_to_bool(@options["ai_context"]?)
       file_list = all_files()
+      string_constants = Hash(String, String).new
+      file_list.each do |path|
+        next unless File.exists?(path)
+        next unless path.ends_with?(".#{KOTLIN_EXTENSION}")
+        next if KotlinEngine.test_path?(path)
+
+        Noir::TreeSitterKotlinKtorRouteExtractor.extract_string_constants(read_file_content(path)).each do |name, value|
+          next unless fully_qualified_constant?(name)
+
+          string_constants[name] ||= value
+        end
+      end
+
       file_list.each do |path|
         next unless File.exists?(path)
         next unless path.ends_with?(".#{KOTLIN_EXTENSION}")
@@ -17,7 +30,7 @@ module Analyzer::Kotlin
         content = read_file_content(path)
         next unless potential_ktor_route_file?(content)
 
-        Noir::TreeSitterKotlinKtorRouteExtractor.extract_routes(content, include_callees: include_callee).each do |route|
+        Noir::TreeSitterKotlinKtorRouteExtractor.extract_routes(content, string_constants, include_callees: include_callee).each do |route|
           @result << build_endpoint(route, path)
         end
       end
@@ -32,6 +45,10 @@ module Analyzer::Kotlin
         content.includes?("Route.")
     end
 
+    private def fully_qualified_constant?(name : String) : Bool
+      name.count('.') >= 2
+    end
+
     private def build_endpoint(route : Noir::TreeSitterKotlinKtorRouteExtractor::Route, path : String) : Endpoint
       details = Details.new(PathInfo.new(path, route.line + 1))
       params = [] of Param
@@ -48,6 +65,8 @@ module Analyzer::Kotlin
 
       if rt = route.receive_type
         params << Param.new("body", rt, "json")
+      elsif route.has_body?
+        params << Param.new("body", "", "json")
       end
 
       route.query_params.each do |name|
@@ -59,6 +78,10 @@ module Analyzer::Kotlin
         params << Param.new(name, "", "header")
       end
 
+      route.form_params.each do |name|
+        params << Param.new(name, "", "form")
+      end
+
       endpoint = Endpoint.new(route.path, route.verb, params, details)
 
       # 1-hop callees out of the handler lambda body. The Route