search

doyensec / inql

InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.
https://doyensec.com/
Apache License 2.0
1.53k stars 158 forks source link

Refactor the schema parser into a standalone library #80

Closed execveat closed 1 year ago

thypon commented 1 year ago

What's the use for refactoring out the standalone library? The UI side is not big enough to grant a standalone project wrt the library.

execveat commented 1 year ago

Refactoring & decoupling is needed to make parser properly testable. Might as way publish it as a separate library at that point.

We're going to drop support for the standalone mode in the next release, so the standalone Python library will also be an alternative to those using InQL as a standalone CLI tool. Finally, using a library for parsing will make it easier to find (or write) a Kotlin replacement for it.

The initial work has been done for this already, by the way in https://github.com/doyensec/inql/tree/dev branch

thypon commented 1 year ago

Refactoring & decoupling is needed to make parser properly testable

I don't get it. If the code is decoupled in a module, it should be testable, whether there is a library (another repository) or not. As of now, you can install inql and import the parser modules separately.

We're going to drop support for the standalone mode in the next release

Standalone mode is used for real by people not having BURP and makes the tool usable by people not in computer security. https://github.com/doyensec/inql/issues?q=is%3Aissue+standalone+is%3Aclosed

It should be possible to distribute a fat-jar that includes both Jython/Kotlin and be standalone.

Nit. it's possible BURP will not operate good with multiple extensions having Jython loaded multiple times, 'cause of library/import name clashes.

execveat commented 1 year ago

Right now the parsing code is located in utils.py and generators/, where it's intermingled with other functions. For the purposes of e2e testing, inql.generators.query.recurse_fields is the best function we could use, but its results still need additional parsing & formatting and inputs require complicated setup.

Compare that with new library (from https://github.com/doyensec/inql/tree/dev/python/gqlpy) where I can do:

from gqlpy import GQLSchema

schema = GQLSchema('https://.../graphql') 
schema.generate_sample_queries()

This isn't the final API, we need a way to import JSON, iterate over queries & mutations and pass parameters to generated queries. But it's clearly much nicer way of both testing and reusing this functionality.

As for standalone mode, long term plan is to rewrite extension in Kotlin. As such, there is no plan to support standalone GUI due to maintenance overhead. I don't think there is a good use case for that either and it's not ergonomic at all. There will be a CLI version which will be a separate project, as a tiny wrapper around the new GraphQL parsing library.

Once the library gets stabilized, I'll rewrite it in Kotlin and the existing version will be bumped to Python 3 to live as a separate project.

execveat commented 1 year ago

Done: https://github.com/doyensec/GQLSpection