PR

Proposed Changes

This PR removes the CGo dependency on smacker/go-tree-sitter by replacing BishopFox/jsluice with a pure-Go JavaScript endpoint extractor built on dop251/goja.

The go-tree-sitter library requires CGo, which complicates cross-platform builds (especially for darwin/arm64, windows, and 386 targets). By switching to dop251/goja — a pure-Go ECMAScript engine — we eliminate the CGo requirement entirely.

What changed

  • Replaced BishopFox/jsluice + smacker/go-tree-sitter with dop251/goja/parser and dop251/goja/ast
  • Implemented a full AST walker in pkg/utils/jsluice.go that extracts endpoints from:
    • String literals that look like URLs/paths
    • fetch(), window.open(), location.replace() calls
    • XMLHttpRequest.open() calls
    • jQuery AJAX calls ($.get, $.post, $.ajax)
    • Assignment expressions (location.href = "/path")
    • String concatenation expressions ("/api/" + id + "/data")
  • Added regex fallback for malformed JavaScript that fails AST parsing
  • Removed platform-specific build constraints (//go:build !(386 || windows))
  • Deleted parser_nojs.go — jsluice functionality now works on all platforms
  • Added comprehensive tests for the new endpoint extractor

/claim #1367

Proof

All tests pass

$ go test ./... 

ok  	github.com/projectdiscovery/katana/pkg/engine/parser	0.038s

ok  	github.com/projectdiscovery/katana/pkg/utils	0.012s

...

Cross-compilation works without CGo

$ CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build ./cmd/katana  # Success

$ CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build ./cmd/katana  # Success

$ CGO_ENABLED=0 GOOS=linux GOARCH=386 go build ./cmd/katana  # Success

Dependencies removed

  • github.com/BishopFox/jsluice — removed from go.mod
  • github.com/smacker/go-tree-sitter — removed from go.mod and go.sum
  • github.com/ditashi/jsbeautifier-go — removed (was a transitive dep of jsluice)

Dependency added

  • github.com/dop251/goja — pure-Go ECMAScript engine (no CGo)

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Bug Fixes

    • JavaScript endpoint extraction now works across all platforms and architectures.

  • New Features

    • Improved JavaScript parsing for more accurate endpoint discovery, including richer handling of calls, assignments, templates, and concatenations.

  • Tests

    • Added comprehensive tests covering varied JS endpoint extraction scenarios.

  • Chores

    • Updated dependencies and internal parsing implementation for improved reliability.

Claim

Total prize pool $400
Total paid $0
Status Pending
Submitted February 17, 2026
Last updated February 17, 2026

Contributors

28

285729101

@285729101

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$200
HE

Hermes1118

@dalledajay-gmail-com

$200