Implement: Phase 8.3 Smart PoC - Enhanced ApiRoute with Metadata & Generated HTTP Payloads

Author: wuerror

src/main/java/com/jbytescanner/engine/RouteExtractor.java

@@ -3,12 +3,16 @@
 import com.jbytescanner.model.ApiRoute;
 import soot.*;
 import soot.tagkit.AnnotationTag;
+import soot.tagkit.VisibilityAnnotationTag;
+import soot.tagkit.VisibilityParameterAnnotationTag;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Map;
+import java.util.HashMap;
 
 public class RouteExtractor {
     private static final Logger logger = LoggerFactory.getLogger(RouteExtractor.class);
@@ -21,6 +25,11 @@ public class RouteExtractor {
     private static final String ANN_POST_MAPPING = "org.springframework.web.bind.annotation.PostMapping";
     private static final String ANN_PUT_MAPPING = "org.springframework.web.bind.annotation.PutMapping";
     private static final String ANN_DELETE_MAPPING = "org.springframework.web.bind.annotation.DeleteMapping";
+    
+    // Param Annotations
+    private static final String ANN_REQUEST_BODY = "org.springframework.web.bind.annotation.RequestBody";
+    private static final String ANN_REQUEST_PARAM = "org.springframework.web.bind.annotation.RequestParam";
+    private static final String ANN_PATH_VARIABLE = "org.springframework.web.bind.annotation.PathVariable";
 
     // Servlet
     private static final String CLASS_HTTP_SERVLET = "javax.servlet.http.HttpServlet";
@@ -135,8 +144,15 @@ private List<ApiRoute> extractSpringRoutes(SootClass sc) {
                 methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "value"));
                 methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "path"));
                 // Attempt to extract method from RequestMethod enum is complex in bytecode, 
-                // often defaults to ALL if not easily statically resolved
-                httpMethod = "ALL"; 
+                // often defaults to ALL if not easily statically resolved.
+                // For PoC, we default to GET if unknown, or try to parse 'method' attribute.
+                List<String> methods = AnnotationHelper.getAnnotationValues(tag, "method");
+                if (!methods.isEmpty()) {
+                     httpMethod = methods.get(0).replace("RequestMethod.", "");
+                } else {
+                     httpMethod = "ALL"; 
+                }
+                
             } else if (AnnotationHelper.hasAnnotation(sm, ANN_GET_MAPPING)) {
                 AnnotationTag tag = AnnotationHelper.getAnnotation(sm, ANN_GET_MAPPING);
                 methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "value"));
@@ -147,16 +163,33 @@ private List<ApiRoute> extractSpringRoutes(SootClass sc) {
                 methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "value"));
                 methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "path"));
                 httpMethod = "POST";
+            } else if (AnnotationHelper.hasAnnotation(sm, ANN_PUT_MAPPING)) {
+                AnnotationTag tag = AnnotationHelper.getAnnotation(sm, ANN_PUT_MAPPING);
+                methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "value"));
+                methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "path"));
+                httpMethod = "PUT";
+            } else if (AnnotationHelper.hasAnnotation(sm, ANN_DELETE_MAPPING)) {
+                AnnotationTag tag = AnnotationHelper.getAnnotation(sm, ANN_DELETE_MAPPING);
+                methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "value"));
+                methodPaths.addAll(AnnotationHelper.getAnnotationValues(tag, "path"));
+                httpMethod = "DELETE";
             }
-            // Add PUT, DELETE similarly...
 
             if (httpMethod != null) {
                 if (methodPaths.isEmpty()) methodPaths.add("");
 
+                // Extract Parameters Info
+                RouteMetadata metadata = extractRouteMetadata(sm);
+                
                 for (String cp : classPaths) {
                     for (String mp : methodPaths) {
                         String fullPath = combinePaths(cp, mp);
-                        routes.add(new ApiRoute(httpMethod, fullPath, sc.getName(), sm.getSubSignature()));
+                        
+                        ApiRoute route = new ApiRoute(
+                            httpMethod, fullPath, sc.getName(), sm.getSubSignature(),
+                            metadata.parameters, metadata.paramAnnotations, metadata.contentType
+                        );
+                        routes.add(route);
                     }
                 }
             }
@@ -168,6 +201,71 @@ private String combinePaths(String p1, String p2) {
         if (!p1.startsWith("/")) p1 = "/" + p1;
         if (!p2.startsWith("/") && !p2.isEmpty()) p2 = "/" + p2;
         if (p1.endsWith("/") && p2.startsWith("/")) return p1 + p2.substring(1);
+        if (p1.equals("/") && p2.startsWith("/")) return p2; // Avoid //api
         return p1 + p2;
     }
+    
+    // --- Phase 8.3 Metadata Extraction ---
+    
+    private static class RouteMetadata {
+        List<String> parameters = new ArrayList<>();
+        Map<String, String> paramAnnotations = new HashMap<>();
+        String contentType = "application/x-www-form-urlencoded"; // Default
+    }
+
+    private RouteMetadata extractRouteMetadata(SootMethod sm) {
+        RouteMetadata meta = new RouteMetadata();
+        
+        // 1. Basic Parameter Info (Name:Type)
+        // Try to get names from ActiveBody (LocalVariableTable) if available
+        List<String> paramNames = new ArrayList<>();
+        try {
+            if (sm.hasActiveBody()) {
+                // Not reliable for interfaces/abstract, but Controllers usually have bodies
+                // However, without debug info (-g:vars), names are arg0, arg1...
+                // Spring uses -parameters flag usually.
+                // We rely on simple counting for now: arg0...
+            }
+        } catch (Exception e) {}
+        
+        // 2. Annotation Analysis (VisibilityParameterAnnotationTag)
+        // Format: Tag -> Annotations[] -> Annotation
+        VisibilityParameterAnnotationTag tag = (VisibilityParameterAnnotationTag) sm.getTag("VisibilityParameterAnnotationTag");
+        
+        int paramCount = sm.getParameterCount();
+        for (int i = 0; i < paramCount; i++) {
+            String name = "arg" + i; 
+            Type type = sm.getParameterType(i);
+            meta.parameters.add(name + ":" + type.toString());
+            
+            // Check for Multipart
+            if (type.toString().contains("MultipartFile")) {
+                meta.contentType = "multipart/form-data";
+            }
+
+            if (tag != null && tag.getVisibilityAnnotations() != null && i < tag.getVisibilityAnnotations().size()) {
+                VisibilityAnnotationTag paramTags = tag.getVisibilityAnnotations().get(i);
+                if (paramTags != null && paramTags.getAnnotations() != null) {
+                    for (AnnotationTag at : paramTags.getAnnotations()) {
+                        String typeName = at.getType().replace("/", ".").replace(";", "");
+                        if (typeName.startsWith("L")) typeName = typeName.substring(1); // Remove L prefix
+
+                        if (typeName.equals(ANN_REQUEST_BODY)) {
+                            meta.paramAnnotations.put(name, "RequestBody");
+                            meta.contentType = "application/json";
+                        } else if (typeName.equals(ANN_REQUEST_PARAM)) {
+                            meta.paramAnnotations.put(name, "RequestParam");
+                            // If we have @RequestParam("alias"), we should extract it.
+                            // But parsing annotation values here is complex (requires searching elems).
+                            // For MVP, we stick to argX or rely on parameter name preservation.
+                        } else if (typeName.equals(ANN_PATH_VARIABLE)) {
+                            meta.paramAnnotations.put(name, "PathVariable");
+                        }
+                    }
+                }
+            }
+        }
+        
+        return meta;
+    }
 }

src/main/java/com/jbytescanner/engine/TaintEngine.java

@@ -127,6 +127,11 @@ public void run() {
         if (!vulnerabilities.isEmpty()) {
             SarifReporter reporter = new SarifReporter(workspaceDir);
             reporter.generate(vulnerabilities);
+            
+            // Phase 8.3: Generate Smart PoCs
+            logger.info("Generating Smart PoC payloads...");
+            com.jbytescanner.report.PoCReporter pocReporter = new com.jbytescanner.report.PoCReporter(workspaceDir);
+            pocReporter.generate(vulnerabilities, routes);
         } else {
             logger.info("No vulnerabilities found. Skipping report generation.");
         }
@@ -180,9 +185,47 @@ private List<ApiRoute> loadEntryPoints() {
             List<String> lines = Files.readAllLines(apiFile.toPath());
             for (String line : lines) {
                 if (line.startsWith("#") || line.trim().isEmpty()) continue;
-                String[] parts = line.split(" ", 4);
+                
+                String metaJson = null;
+                String baseLine = line;
+                
+                // Check for metadata separator
+                if (line.contains(" | {")) {
+                    int splitIdx = line.indexOf(" | {");
+                    baseLine = line.substring(0, splitIdx);
+                    metaJson = line.substring(splitIdx + 3); // "{...}"
+                }
+                
+                String[] parts = baseLine.split(" ", 4);
                 if (parts.length >= 4) {
-                    routes.add(new ApiRoute(parts[0], parts[1], parts[2], parts[3]));
+                    ApiRoute route = new ApiRoute(parts[0], parts[1], parts[2], parts[3]);
+                    
+                    if (metaJson != null) {
+                        try {
+                            com.google.gson.JsonObject json = com.google.gson.JsonParser.parseString(metaJson).getAsJsonObject();
+                            
+                            if (json.has("contentType")) {
+                                route.setContentType(json.get("contentType").getAsString());
+                            }
+                            
+                            if (json.has("params")) {
+                                List<String> params = new ArrayList<>();
+                                com.google.gson.JsonArray arr = json.getAsJsonArray("params");
+                                arr.forEach(e -> params.add(e.getAsString()));
+                                route.setParameters(params);
+                            }
+                            
+                            if (json.has("annotations")) {
+                                java.util.Map<String, String> anns = new java.util.HashMap<>();
+                                com.google.gson.JsonObject obj = json.getAsJsonObject("annotations");
+                                obj.entrySet().forEach(e -> anns.put(e.getKey(), e.getValue().getAsString()));
+                                route.setParamAnnotations(anns);
+                            }
+                        } catch (Exception e) {
+                            logger.warn("Failed to parse metadata for route: {}", parts[1]);
+                        }
+                    }
+                    routes.add(route);
                 }
             }
         } catch (IOException e) {

src/main/java/com/jbytescanner/model/ApiRoute.java

@@ -3,6 +3,8 @@
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
+import java.util.List;
+import java.util.Map;
 
 @Data
 @AllArgsConstructor
@@ -12,13 +14,66 @@ public class ApiRoute {
     private String path;       // /api/v1/user
     private String className;  // com.example.UserController
     private String methodSig;  // java.lang.String getUser(java.lang.String)
+    
+    // Phase 8.3: Metadata for PoC Generation
+    private List<String> parameters; // Format: "name:type"
+    private Map<String, String> paramAnnotations; // Format: "paramName" -> "AnnotationType" (e.g., "user" -> "RequestBody")
+    private String contentType; // e.g., "application/json", "application/x-www-form-urlencoded"
+
+    // Legacy Constructor for compatibility
+    public ApiRoute(String httpMethod, String path, String className, String methodSig) {
+        this.httpMethod = httpMethod;
+        this.path = path;
+        this.className = className;
+        this.methodSig = methodSig;
+    }
 
     @Override
     public String toString() {
-        return String.format("%s %s %s %s", 
+        String base = String.format("%s %s %s %s", 
                 httpMethod != null ? httpMethod : "ALL", 
                 path, 
                 className, 
                 methodSig);
+        
+        // Phase 8.3: Append Metadata in JSON format for persistence
+        if (contentType != null || (parameters != null && !parameters.isEmpty())) {
+            StringBuilder json = new StringBuilder();
+            json.append(" | {");
+            boolean hasPrev = false;
+            
+            if (contentType != null) {
+                json.append("\"contentType\":\"").append(contentType).append("\"");
+                hasPrev = true;
+            }
+            
+            if (parameters != null && !parameters.isEmpty()) {
+                if (hasPrev) json.append(", ");
+                json.append("\"params\":[");
+                for (int i = 0; i < parameters.size(); i++) {
+                    if (i > 0) json.append(",");
+                    json.append("\"").append(parameters.get(i)).append("\"");
+                }
+                json.append("]");
+                hasPrev = true;
+            }
+            
+            if (paramAnnotations != null && !paramAnnotations.isEmpty()) {
+                if (hasPrev) json.append(", ");
+                json.append("\"annotations\":{");
+                int i = 0;
+                for (Map.Entry<String, String> e : paramAnnotations.entrySet()) {
+                    if (i > 0) json.append(",");
+                    json.append("\"").append(e.getKey()).append("\":\"").append(e.getValue()).append("\"");
+                    i++;
+                }
+                json.append("}");
+            }
+            
+            json.append("}");
+            return base + json.toString();
+        }
+        
+        return base;
     }
 }