Open mschwager opened 1 year ago
Gby56
commented
1 year ago FYI, for Scala I took a look (my company uses it a bit)
The huge problem is going to be the route declaration https://www.playframework.com/documentation/2.8.x/ScalaRouting
It's a separate .routes file that links HTTP VERB + PATH + Function in a class
So you need to figure out where that function is, probably in another file, and maybe you'll have the security annotations there
mschwager
commented
1 year ago FYI, for Scala I took a look (my company uses it a bit) The huge problem is going to be the route declaration https://www.playframework.com/documentation/2.8.x/ScalaRouting
Hmm, interesting. Thanks for the documentation link. Is this at least valid Scala syntax?
It's a separate
.routesfile that links HTTP VERB + PATH + Function in a class So you need to figure out where that function is, probably in another file, and maybe you'll have the security annotations there
I've encountered this type of routing in a few frameworks before. Both Rails and Django are like this. It definitely makes accurate authn + authz detection difficult. First, I'd start with creating a new Semgrep rule to detect only routes. Then, we can worry about authn + authz detection. One option I've tried for interprocedural authn + authz detection is having separate Semgrep rules for route detection and authn + authz detection, then use some special logic in route-detect to combine the two. It's not a very clean solution, but it can produce some results.
https://www.playframework.com/