PR

Proposed changes

This PR replaces the github.com/BishopFox/jsluice dependency (and its CGO requirement github.com/smacker/go-tree-sitter) with a pure-Go JavaScript endpoint extractor using github.com/dop251/goja’s AST parser.

Impact

  • Eliminates CGO: Removes all CGO requirements, significantly simplifying cross-platform builds (especially for Windows and Linux ARM/386).
  • Cross-Platform Consistency: The jsluice parser was previously guarded by //go:build !(386 || windows), meaning Windows/386 users had reduced functionality. This PR enables full JavaScript analysis on all platforms.
  • Dependency Cleanup: Removes jsluice and go-tree-sitter from the dependency graph.

Implementation Details

  • Rewrote pkg/utils/jsluice.go to use dop251/goja/parser and dop251/goja/ast.
  • Implemented a robust AST walker that detects URLs in:
    • fetch() calls
    • XMLHttpRequest.open()
    • window.open()
    • location.href / img.src assignments
    • Object literals, arrays, and template literals
    • jQuery ($.ajax) and axios calls
  • Added a regex fallback for malformed JavaScript (graceful degradation).
  • Updated .goreleaser/*.yml to remove CGO_ENABLED=1 and cross-compiler requirements.

Proof

I have added a comprehensive test suite in pkg/utils/jsluice_test.go covering 25+ scenarios including all supported extraction patterns and edge cases.

New Tests Passing:

=== RUN   TestExtractJsluiceEndpoints

--- PASS: TestExtractJsluiceEndpoints (0.01s)

    --- PASS: TestExtractJsluiceEndpoints/fetch_call (0.00s)

    --- PASS: TestExtractJsluiceEndpoints/XMLHttpRequest_open (0.00s)

    --- PASS: TestExtractJsluiceEndpoints/window.open (0.00s)

    --- PASS: TestExtractJsluiceEndpoints/location.href_assignment (0.00s)

    --- PASS: TestExtractJsluiceEndpoints/malformed_JS_falls_back_to_regex (0.00s)

    ...

Cross-Platform Build Verification: Builds now succeed without CGO on previously problematic platforms:

CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ./cmd/katana/

CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build ./cmd/katana/

CGO_ENABLED=0 GOOS=windows GOARCH=386 go build ./cmd/katana/

Checklist

  • Pull request is created against the dev branch
  • All checks passed (lint, unit/integration/regression tests etc.) with my changes
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation (if appropriate)

/claim #1367

Summary by CodeRabbit

  • New Features

    • Improved JavaScript endpoint extraction — more accurate detection across diverse JS patterns with robust fallback handling.

  • Chores

    • Updated project dependencies for maintainability.

  • Platform

    • Parser compatibility extended to all OS/architecture combinations.

  • Tests

    • Added comprehensive tests validating extraction accuracy and preprocessing behavior.

Claim

Total prize pool $400
Total paid $0
Status Pending
Submitted February 11, 2026
Last updated February 11, 2026

Contributors

HA

Harsh Pratap Singh

@harsh-pratap9904-gmail-com

 100%

Sponsors

PR

ProjectDiscovery

@projectdiscovery

$200
HE

Hermes1118

@dalledajay-gmail-com

$200