Add Points of Interest and Fast Cycles #82
Conversation
|
Hi, @schoobydrew! Thanks for the contribution, improvements in cycle detection and POI extraction are definitely very welcome. I'll review your code over the week, just wanted to give you a heads-up with regards to our plans for the future. I'm going for an incremental rewrite of the InQL during this year due to Jython rapidly becoming a liability. The goal is to eventually convert everything into Kotlin, so the CLI version of InQL is going to be deprecated. That said, I want to make a refactoring first, by separating GraphQL Introspection & schema parsing bits from the GUI stuff. I've started a new Python library https://github.com/doyensec/gqlspection which should provide all of the parsing capability to InQL, until the API gets stabilized and we're ready to rewrite it in Kotlin. Although right now GQLSpection is in its infancy, I will strive to make it ready to be used within InQL by the next release in February. And although the main target of that library right now is Jython (Python 2.7), it is meant to outlive InQL's python version, so it's fully Python 3 compatible and soon should get an excellent test suit. GQLSpection can also be used as a standalone CLI tool (although it's not a priority for me right now). So, if you plan to make more contributions, that might be a better target for you. On the other hand, if you want to follow InQL's development, please look at the refactoring in the https://github.com/doyensec/inql/tree/dev branch. Overall I'd say that at least until the next release code simplification, stability and robustness right now are more important than adding new features. But I'm open to adding new functionality after that (the next release should happen in a month or so). |
|
Hey, @schoobydrew! I've reviewed the code and it's good. But we are moving CLI & GraphQL parsing stuff into a separate library, so that only stuff tightly coupled with GUI remains in the main repo (to be rewritten in Kotlin). So, if you give us permission, I will port this functionality to https://github.com/doyensec/gqlspection. Are you alright with that? Also, if you're interested in contributing to InQL on the ongoing basis, we'd like to talk to you. |
|
I am currently working on my own repo improving the information extracted from Tarjans and plan to integrate with a library like gqlspection to use youre library for ingesting the introspection |
|
I'm closing this issue as 'Points of Interests' just been merged to both InQL and GQLSpection (if you're looking for cli version). If you're interested in contributing, please check comments in https://github.com/doyensec/GQLSpection/blob/dev/src/gqlspection/points_of_interest/POIScanner.py as there are more features on our wishlist (and of course, keyword lists could be improved). InQL version isn't configurable right now, but I'll merge Settings window soon which should provide this functionality. |
Added a points of interest reporting module that allows custom regex filter to find objects,fields, and functions of interest based on the regex matching, i.e. fields or objects that might contain usernames/passwords/api keys
Also added a gen_matrix function to be used with a fast cycle detection algorithm that doesnt get hung up on bigger schemas but sacrifices the verbosity of sub cycles that might exist within a larger cycle.
Added cmdline args
--generate-poi -> store true to run the poi function
--poi-regex -> user defined regex to use instead of default for poi function
--poi-streaming -> put the poi output to stdout
--generate-fast-cycles -> store true to run the fast cycle detection
--fast-cycles-streaming -> put the fsat cycle to stdout