README
¶
InputTracer
A multi-language taint-analysis library that traces how user input enters source code and propagates through variables and function calls. It uses Tree-sitter for parsing and supports PHP, JavaScript, TypeScript, Python, Go, Java, C, C++, C#, Ruby, and Rust.
InputTracer traces input sources only — where untrusted data enters and how it flows. It does not classify vulnerabilities or match dangerous sinks; that analysis is intentionally out of scope.
Features
- Input-source detection across 11 languages (HTTP parameters, cookies, headers, request bodies, CLI args, environment variables, file and network reads, etc.)
- Framework-aware patterns (Laravel, Symfony, WordPress, Express, Django, Flask, Spring, Rails, Gin, actix-web, and more)
- Taint propagation through assignments, concatenation, function calls, and returns
- Inter-procedural analysis with a configurable depth limit
- Parallel analysis via a worker pool, with parser pooling and an LRU AST cache
- Output as JSON, a DOT/Mermaid flow graph, or a summary report
Requirements
- Go 1.23 or newer
Installation
go get github.com/hatlesswizard/inputtracer
Or clone and build:
git clone https://github.com/hatlesswizard/inputtracer.git
cd inputtracer
go build ./...
Library usage
package main
import (
"fmt"
"github.com/hatlesswizard/inputtracer/pkg/tracer"
"github.com/hatlesswizard/inputtracer/pkg/output"
)
func main() {
config := tracer.DefaultConfig()
config.MaxDepth = 5 // inter-procedural analysis depth
t := tracer.New(config)
result, err := t.TraceDirectory("./path/to/code")
if err != nil {
panic(err)
}
// Inspect results
fmt.Printf("Found %d input sources\n", len(result.Sources))
// Export as JSON
jsonOut, _ := output.NewJSONExporter(true).Export(result)
fmt.Println(jsonOut)
// Or as a DOT flow graph
dot := output.ExportDOT(result.FlowGraph)
fmt.Println(dot)
}
TraceFile is available for single-file analysis. Configuration options include the
languages to scan, worker count, skip directories, and custom input-source definitions —
see tracer.DefaultConfig().
Supported input labels
HTTP_GET, HTTP_POST, HTTP_COOKIE, HTTP_HEADER, HTTP_BODY, CLI_ARG, ENV_VAR,
FILE_READ, DATABASE, NETWORK
Building & testing
make build # build cmd/ and pkg/
make test # run package tests
make generate # regenerate framework patterns into pkg/sources/php/
go test ./... # run all tests
go test -race ./...
(make targets wrap the equivalent go commands.)
License
Licensed under the GNU General Public License v3.0.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
genpatterns
command
Package main - exclusions.go defines methods to exclude from pattern generation
|
Package main - exclusions.go defines methods to exclude from pattern generation |
|
pkg
|
|
|
ast
Package ast - node.go defines the Node interface that abstracts over the concrete *sitter.Node type from github.com/smacker/go-tree-sitter.
|
Package ast - node.go defines the Node interface that abstracts over the concrete *sitter.Node type from github.com/smacker/go-tree-sitter. |
|
output
Package output - styles.go provides centralized graph visualization styles.
|
Package output - styles.go provides centralized graph visualization styles. |
|
semantic
Package semantic provides a complete semantic input tracer that analyzes codebases to trace user input flow with full cross-file, inter-procedural analysis.
|
Package semantic provides a complete semantic input tracer that analyzes codebases to trace user input flow with full cross-file, inter-procedural analysis. |
|
semantic/analyzer
Package analyzer defines the interface for language-specific analyzers
|
Package analyzer defines the interface for language-specific analyzers |
|
semantic/analyzer/base
Package base provides shared helpers for language analyzers.
|
Package base provides shared helpers for language analyzers. |
|
semantic/analyzer/c
Package c implements the C language analyzer for semantic input tracing
|
Package c implements the C language analyzer for semantic input tracing |
|
semantic/analyzer/cpp
Package cpp implements the C++ language analyzer for semantic input tracing
|
Package cpp implements the C++ language analyzer for semantic input tracing |
|
semantic/analyzer/csharp
Package csharp implements the C# language analyzer for semantic input tracing
|
Package csharp implements the C# language analyzer for semantic input tracing |
|
semantic/analyzer/golang
Package golang implements the Go language analyzer for semantic input tracing
|
Package golang implements the Go language analyzer for semantic input tracing |
|
semantic/analyzer/java
Package java implements the Java language analyzer for semantic input tracing
|
Package java implements the Java language analyzer for semantic input tracing |
|
semantic/analyzer/javascript
Package javascript implements the JavaScript language analyzer for semantic input tracing
|
Package javascript implements the JavaScript language analyzer for semantic input tracing |
|
semantic/analyzer/php
Package php implements the PHP language analyzer for semantic input tracing
|
Package php implements the PHP language analyzer for semantic input tracing |
|
semantic/analyzer/python
Package python implements the Python language analyzer for semantic input tracing
|
Package python implements the Python language analyzer for semantic input tracing |
|
semantic/analyzer/ruby
Package ruby implements the Ruby language analyzer for semantic input tracing
|
Package ruby implements the Ruby language analyzer for semantic input tracing |
|
semantic/analyzer/rust
Package rust implements the Rust language analyzer for semantic input tracing
|
Package rust implements the Rust language analyzer for semantic input tracing |
|
semantic/analyzer/typescript
Package typescript implements the TypeScript language analyzer for semantic input tracing
|
Package typescript implements the TypeScript language analyzer for semantic input tracing |
|
semantic/batch
Package batch provides batch analysis capabilities for analyzing multiple code snippets
|
Package batch provides batch analysis capabilities for analyzing multiple code snippets |
|
semantic/callgraph
Package callgraph provides sophisticated call graph management with distance computation for input flow analysis.
|
Package callgraph provides sophisticated call graph management with distance computation for input flow analysis. |
|
semantic/classifier
Package classifier provides snippet classification using carrier maps
|
Package classifier provides snippet classification using carrier maps |
|
semantic/condition
Package condition provides key condition extraction for branch analysis.
|
Package condition provides key condition extraction for branch analysis. |
|
semantic/discovery
Package discovery - carrier map builder and serialization
|
Package discovery - carrier map builder and serialization |
|
semantic/extractor
Package extractor provides utilities to extract traceable PHP expressions from code snippets
|
Package extractor provides utilities to extract traceable PHP expressions from code snippets |
|
semantic/index
Package index provides a unified code indexer with signature-based lookup, inspired by ATLANTIS's multi-tier code retrieval approach.
|
Package index provides a unified code indexer with signature-based lookup, inspired by ATLANTIS's multi-tier code retrieval approach. |
|
semantic/pathanalysis
Package pathanalysis provides inter-procedural path expansion and pruning for taint analysis.
|
Package pathanalysis provides inter-procedural path expansion and pruning for taint analysis. |
|
semantic/symbolic
Package symbolic provides symbolic execution for deep semantic tracing This traces object instantiation, constructor execution, method calls, and property population Works universally across ALL PHP applications - no framework-specific hints
|
Package symbolic provides symbolic execution for deep semantic tracing This traces object instantiation, constructor execution, method calls, and property population Works universally across ALL PHP applications - no framework-specific hints |
|
semantic/tracer
Package tracer provides variable tracing across codebases
|
Package tracer provides variable tracing across codebases |
|
semantic/types
Package types defines universal data structures for semantic input tracing across all supported programming languages.
|
Package types defines universal data structures for semantic input tracing across all supported programming languages. |
|
sources
Package sources - defaults.go provides centralized default configuration values All default values should be defined here and referenced from other packages
|
Package sources - defaults.go provides centralized default configuration values All default values should be defined here and referenced from other packages |
|
sources/c
Package c - input_patterns.go provides C-specific input source patterns These patterns identify where user input enters C programs
|
Package c - input_patterns.go provides C-specific input source patterns These patterns identify where user input enters C programs |
|
sources/common
Package common - framework_patterns.go provides framework pattern definitions All framework-specific patterns should be defined using these types
|
Package common - framework_patterns.go provides framework pattern definitions All framework-specific patterns should be defined using these types |
|
sources/constants
Package constants provides centralized type constants for the tracer.
|
Package constants provides centralized type constants for the tracer. |
|
sources/core
Package core provides the centralized type definitions and registry for input detection.
|
Package core provides the centralized type definitions and registry for input detection. |
|
sources/cpp
Package cpp - frameworks.go provides C++ web framework patterns Includes patterns for Crow, Drogon, Boost.Beast, cpprestsdk, Poco, and Qt
|
Package cpp - frameworks.go provides C++ web framework patterns Includes patterns for Crow, Drogon, Boost.Beast, cpprestsdk, Poco, and Qt |
|
sources/csharp
Package csharp - frameworks.go provides C# web framework patterns Includes patterns for ASP.NET Core, ASP.NET MVC, Nancy, and ServiceStack
|
Package csharp - frameworks.go provides C# web framework patterns Includes patterns for ASP.NET Core, ASP.NET MVC, Nancy, and ServiceStack |
|
sources/frameworks
Package frameworks - detection.go provides framework detection utilities This centralizes file path indicators used to detect frameworks in codebases
|
Package frameworks - detection.go provides framework detection utilities This centralizes file path indicators used to detect frameworks in codebases |
|
sources/golang
Package golang - frameworks.go provides Go framework pattern registry All Go framework patterns should be registered here
|
Package golang - frameworks.go provides Go framework pattern registry All Go framework patterns should be registered here |
|
sources/java
Package java - annotations.go provides Java annotation to source type mappings This centralizes all annotation-based input source detection for Java frameworks
|
Package java - annotations.go provides Java annotation to source type mappings This centralizes all annotation-based input source detection for Java frameworks |
|
sources/javascript
Package javascript - express.go provides Express.js framework input patterns
|
Package javascript - express.go provides Express.js framework input patterns |
|
sources/patterns
Package patterns provides centralized regex patterns for code analysis.
|
Package patterns provides centralized regex patterns for code analysis. |
|
sources/php
Package php provides PHP database-related patterns
|
Package php provides PHP database-related patterns |
|
sources/python
Package python - frameworks.go provides Python framework pattern registry All Python framework patterns should be registered here
|
Package python - frameworks.go provides Python framework pattern registry All Python framework patterns should be registered here |
|
sources/ruby
Package ruby - frameworks.go provides Ruby web framework patterns Includes patterns for Rails, Sinatra, Hanami, Grape, and Padrino
|
Package ruby - frameworks.go provides Ruby web framework patterns Includes patterns for Rails, Sinatra, Hanami, Grape, and Padrino |
|
sources/rust
Package rust - frameworks.go provides Rust web framework patterns Includes patterns for Actix-web, Rocket, Axum, Warp, and Tide
|
Package rust - frameworks.go provides Rust web framework patterns Includes patterns for Actix-web, Rocket, Axum, Warp, and Tide |
|
sources/typescript
Package typescript provides centralized TypeScript patterns for semantic analysis
|
Package typescript provides centralized TypeScript patterns for semantic analysis |
Click to show internal directories.
Click to hide internal directories.