Programming in the Stone-age
Simple checks like on non-existent endpoints are not available!
On GitHub, we found code that mistakenly attempts to make a request to
spotify.com/v1/seach, as opposed to invoking the correct URL ending with
This is what I mean by stone-age – why don’t we have more static support on checking stupid errors like that!
A programmer wishing to avoid such errors can manually assess the correctness of web API requests by consulting the API’s (online) documentation or formal web API specifications. Such specifications, like the OpenAPI Specification (or formerly known as Swagger), can be created by API providers or third parties to document valid URLs, HTTP methods, as well as inputs and outputs that a web API expects.
Getting out the stone-age: our static checker on web API requests
In essence, our tool automates this manual process by doing two things:
First, our approach extracts a request’s URL string, HTTP method, and the corresponding request data using an inter-procedural string analysis
This task is not super easy task because we need an inter-procedural static program analysis capable of extracting strings. Yunhui has described the magic behind this analysis.
Making use of available Swagger specifications for the definitions of valid URLs, HTTP methods, and data. Our approach checks whether the request extracted from the first step conforms to given web API specifications. Erik has shared some interesting insights about these specifications in a previous post.
Our check is quite precise!
- Our approach determined whether the request’s URL and HTTP method was consistent or inconsistent with web API specifications with a precision of
- Our approach also correctly determined whether extracted request data was consistent or inconsistent with the data requirements with a precision of
87.9%for payload data and
99.9%for query data.
- In a systematic analysis of the inconsistent cases, we found that many of them were due to errors in the client code.
If you ask me, this numbers mean that we are ready to deploy our approach!
And we have! Our checker is already integrated as a plug-in in Atom, as described in Erik’s previous post! It can also be integrated with continuous integration tools to warn programmers about code containing potentially erroneous requests.