{"id":18611493,"url":"https://github.com/mschwager/route-detect","last_synced_at":"2025-04-06T04:10:54.605Z","repository":{"id":142942938,"uuid":"593230414","full_name":"mschwager/route-detect","owner":"mschwager","description":"Find authentication (authn) and authorization (authz) security bugs in web application routes.","archived":false,"fork":false,"pushed_at":"2024-04-24T16:32:15.000Z","size":2945,"stargazers_count":226,"open_issues_count":13,"forks_count":13,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-04-25T17:00:21.401Z","etag":null,"topics":["authentication","authorization","http-server","routes","security","static-analysis"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mschwager.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-01-25T14:40:51.000Z","updated_at":"2024-06-21T15:16:03.038Z","dependencies_parsed_at":"2023-04-13T10:12:07.818Z","dependency_job_id":"fe6b9b0e-989a-4cce-8d74-3b861d113149","html_url":"https://github.com/mschwager/route-detect","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2Froute-detect","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2Froute-detect/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2Froute-detect/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mschwager%2Froute-detect/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mschwager","download_url":"https://codeload.github.com/mschwager/route-detect/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247430870,"owners_count":20937874,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","authorization","http-server","routes","security","static-analysis"],"created_at":"2024-11-07T03:14:02.030Z","updated_at":"2025-04-06T04:10:54.585Z","avatar_url":"https://github.com/mschwager.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# route-detect\n\n[![CI](https://github.com/mschwager/route-detect/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/mschwager/route-detect/actions/workflows/ci.yml)\n[![Python Versions](https://img.shields.io/pypi/pyversions/route-detect.svg)](https://pypi.org/project/route-detect/)\n[![PyPI Version](https://img.shields.io/pypi/v/route-detect.svg)](https://pypi.org/project/route-detect/)\n\nFind authentication (authn) and authorization (authz) security bugs in web application routes:\n\n\u003e [!IMPORTANT]\n\u003e The Semgrep functionality `route-detect` depends on to display code snippets has been moved behind their cloud app. For more information see [#10762](https://github.com/semgrep/semgrep/issues/10762). However, earlier versions of Semgrep still support this behavior. When using `route-detect`, make sure to install a version of Semgrep before `1.97.0`. This can be accomplished with the following command: `python -m pip install 'semgrep\u003c1.97.0'`.\n\n![Routes demo](https://raw.githubusercontent.com/mschwager/route-detect/main/routes-demo.png)\n\n\u003cp align=\"center\"\u003e\n    \u003ci\u003eRoutes from \u003ccode\u003e\u003ca href=\"https://github.com/koel/koel\"\u003ekoel\u003ca\u003e\u003c/code\u003e streaming server\u003c/i\u003e\n\u003c/p\u003e\n\nWeb application HTTP route authn and authz bugs are some of the most common security issues found today. These industry standard resources highlight the severity of the issue:\n\n- 2021 OWASP Top 10 #1 - [Broken Access Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n- 2021 OWASP Top 10 #7 - [Identification and Authentication Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/) (formerly Broken Authentication)\n- 2023 OWASP API Top 10 #1 - [Broken Object Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa1-broken-object-level-authorization/)\n- 2023 OWASP API Top 10 #2 - [Broken Authentication](https://owasp.org/API-Security/editions/2023/en/0xa2-broken-authentication/)\n- 2023 OWASP API Top 10 #5 - [Broken Function Level Authorization](https://owasp.org/API-Security/editions/2023/en/0xa5-broken-function-level-authorization/)\n- 2023 CWE Top 25 #11 - [CWE-862: Missing Authorization](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html)\n- 2023 CWE Top 25 #13 - [CWE-287: Improper Authentication](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html)\n- 2023 CWE Top 25 #20 - [CWE-306: Missing Authentication for Critical Function](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html)\n- 2023 CWE Top 25 #24 - [CWE-863: Incorrect Authorization](https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html)\n\nSupported web frameworks (`route-detect` IDs in parentheses):\n\n- Python: Django (`django`, `django-rest-framework`), Flask (`flask`), Sanic (`sanic`), FastAPI (`fastapi`)\n- PHP: Laravel (`laravel`), Symfony (`symfony`), CakePHP (`cakephp`)\n- Ruby: Rails\\* (`rails`), Grape (`grape`)\n- Java: JAX-RS (`jax-rs`), Spring (`spring`)\n- Go: Gorilla (`gorilla`), Gin (`gin`), Chi (`chi`)\n- JavaScript/TypeScript: Express (`express`), React (`react`), Angular (`angular`)\n\n\\*_Rails support is limited. Please see [this issue](https://github.com/mschwager/route-detect/issues/8) for more information._\n\n# Installing\n\nUse `pip` to install `route-detect`:\n\n```\n$ python -m pip install --upgrade route-detect\n```\n\nYou can check that `route-detect` is installed correctly with the following command:\n\n```\n$ echo 'print(1 == 1)' | semgrep --config $(routes which test-route-detect) -\nScanning 1 file.\n\nFindings:\n\n  /tmp/stdin\n     routes.rules.test-route-detect\n        Found '1 == 1', your route-detect installation is working correctly\n\n          1┆ print(1 == 1)\n\n\nRan 1 rule on 1 file: 1 finding.\n```\n\n# Using\n\n`route-detect` provides the `routes` CLI command and uses [`semgrep`](https://github.com/returntocorp/semgrep) to search for routes.\n\nUse the `which` subcommand to point `semgrep` at the correct web application rules:\n\n```\n$ semgrep --config $(routes which django) path/to/django/code\n```\n\nUse the `viz` subcommand to visualize route information in your browser:\n\n```\n$ semgrep --json --config $(routes which django) --output routes.json path/to/django/code\n$ routes viz --browser routes.json\n```\n\nIf you're not sure which framework to look for, you can use the special `all` ID to check everything:\n\n```\n$ semgrep --json --config $(routes which all) --output routes.json path/to/code\n```\n\nIf you have custom authn or authz logic, you can copy `route-detect`'s rules:\n\n```\n$ cp $(routes which django) my-django.yml\n```\n\nThen you can modify the rule as necessary and run it like above:\n\n```\n$ semgrep --json --config my-django.yml --output routes.json path/to/django/code\n$ routes viz --browser routes.json\n```\n\n# Contributing\n\n`route-detect` uses [`poetry`](https://python-poetry.org/) for dependency and configuration management.\n\nBefore proceeding, install project dependencies with the following command:\n\n```\n$ poetry install --with dev\n```\n\n## Linting\n\nLint all project files with the following command:\n\n```\n$ poetry run pre-commit run --all-files\n```\n\n## Testing\n\nRun Python tests with the following command:\n\n```\n$ poetry run pytest --cov\n```\n\nRun Semgrep rule tests with the following command:\n\n```\n$ poetry run semgrep --test --config routes/rules/ tests/test_rules/\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmschwager%2Froute-detect","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmschwager%2Froute-detect","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmschwager%2Froute-detect/lists"}