Proposed changes

Replaces github.com/BishopFox/jsluice (and its CGO dependency on github.com/smacker/go-tree-sitter) with a pure-Go JavaScript endpoint extractor using github.com/dop251/goja’s AST parser.

What changed

• pkg/utils/jsluice.go — Rewrote ExtractJsluiceEndpoints using goja’s AST walker. The new implementation covers:
  • fetch(), XMLHttpRequest.open(), window.open() calls
  • new WebSocket(), new URL(), new Request() constructors
  • jQuery $.ajax, axios, and generic HTTP client calls
  • Property assignments (location.href, img.src, etc.)
  • String literals, template literals, object/array literals
  • ES6 preprocessing (strips import/export for goja’s ES5.1 parser)
  • Regex fallback for malformed JavaScript that fails AST parsing
• pkg/engine/parser/parser_generic.go — Removed //go:build !(386 || windows) constraint. Now compiles on all platforms.
• pkg/engine/parser/parser_nojs.go — Deleted. No longer need platform-specific stub since jsluice now works everywhere.
• go.mod — Removed BishopFox/jsluice, smacker/go-tree-sitter, ditashi/jsbeautifier-go. Added dop251/goja, go-sourcemap/sourcemap.

Impact

Proof

All tests pass with CGO_ENABLED=0:

=== RUN   TestExtractJsluiceEndpoints
--- PASS: TestExtractJsluiceEndpoints (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/fetch_call (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/XMLHttpRequest_open (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/window.open (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/location.href_assignment (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/string_variable_with_URL (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/string_variable_with_path (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/multiple_endpoints (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/object_literal_with_URL_values (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/new_WebSocket (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/new_URL (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/jQuery_ajax (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/deduplication (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/malformed_JS_falls_back_to_regex (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/array_of_URLs (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/conditional_expression (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/function_declaration_with_URLs (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/arrow_function_with_URL (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/src_assignment (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/no_URLs_in_plain_code (0.00s)
    --- PASS: TestExtractJsluiceEndpoints/absolute_URL_in_variable (0.00s)

Cross-platform builds verified (all CGO_ENABLED=0):

CGO_ENABLED=0 GOOS=linux   GOARCH=amd64  go build ./cmd/katana/  # SUCCESS
CGO_ENABLED=0 GOOS=darwin  GOARCH=arm64  go build ./cmd/katana/  # SUCCESS
CGO_ENABLED=0 GOOS=windows GOARCH=386    go build ./cmd/katana/  # SUCCESS

Checklist

• Pull request is created against the dev branch
• All checks passed (lint, unit/integration/regression tests etc.) with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

/claim #1367

Summary by CodeRabbit

• New Features

  • Enhanced JavaScript endpoint extraction with wider detection for fetch/XHR/axios/websocket/URL patterns and improved AST + regex fallback extraction; added a structured endpoint result type.
  • Added configurable parser options to control automatic form filling, JS response scraping, and redirect behavior via an initialization method.

• Tests

  • Added comprehensive tests covering endpoint extraction, URL-like detection, preprocessing, deduplication, and related edge cases.