InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

PathFinder — Simplifying Code Review with Call Graph Visualization

As developers and security engineers, we often face challenges in understanding complex codebases and tracking function calls during secure code review processes. To address these challenges, I developed PathFinder, a lightweight VS Code extension designed to visualize call graphs and provide actionable insights into your code structure.

PathFinder simplifies code review tasks and offers features like endpoint detection, function inspection, and route highlighting. I believe this extension will take a huge load off my daily work as it evolves, but of course, I have to admit it’s still very much in the early stages right now.

See It in Action

Features

If I were to briefly talk about PathFinder’s features:

  • It visualizes function call graphs, making it easier to understand complex codebases.
  • Detects and highlights HTTP endpoints in your projects.
  • Offers an interactive experience — click nodes to trace paths or jump straight to the code with a simple command.
  • Lets you filter out common functions like Println() and search for specific ones to focus your analysis.
  • And of course, it supports a dark mode for a better, distraction-free experience.

Real-World Use Cases

PathFinder is designed to fit into real-world secure code review workflows. Here are some scenarios:

  1. Analyzing Vulnerable Functions
    Quickly trace paths leading to a vulnerable function to assess its accessibility and exploitability.
  2. Endpoint Branching
    Visualize how exposed endpoints branch into internal logic and analyze their flows.
  3. Code Cleanup
    Spot unused functions floating aimlessly in the graph, indicating areas that might need cleanup or refactoring.
  4. Function Relationships
    Understand the relationships between functions and their arguments to detect potential issues in the flow.

Supported Languages

PathFinder currently supports Golang. However, additional languages like Python and Java are on the roadmap. Contributions to support other languages are highly encouraged. If you’re a developer/security engineer interested in extending PathFinder, check out the project.

How It Works

  1. Parsing and Visualization
    PathFinder parses your source files using language-specific analyzers located in the tools/ directory. These analyzers output data in a consistent JSON format for an easy integration with the visualization script.
  2. Example Output
    Below is an example of how PathFinder processes Go source code:

Input:

func AdditionalFunction3() {
fmt.Println("Inside additionalFunction")
branchX()
}

func branchX() {
fmt.Println("Inside branchX")
}

Output:

{
"nodes": [
{
"id": "AdditionalFunction3",
"name": "AdditionalFunction3",
"args": [],
"returns": []
},
{
"id": "branchX",
"name": "branchX",
"args": [],
"returns": []
},
{
"id": "Println",
"name": "Println",
"args": [
"\"Inside additionalFunction\""
],
"returns": []
}
],
"edges": [
{
"source": "AdditionalFunction3",
"target": "Println",
"line": 2,
"file": "../../example/folder1/third.go",
"endpoint": ""
},
{
"source": "AdditionalFunction3",
"target": "branchX",
"line": 4,
"file": "../../example/folder1/third.go",
"endpoint": ""
},
{
"source": "branchX",
"target": "Println",
"line": 7,
"file": "../../example/folder1/third.go",
"endpoint": ""
}
]
}

When we want to integrate a new analyzer for a different language, it will be sufficient to stick to the output format above.

Installation

Just download the extension from VsCode marketplace.

Closing Thoughts

PathFinder is still in its early stages, but I believe it can grow into a handy tool for secure code reviews. I’d love to hear your thoughts and ideas to help improve it further. Feel free to give it a try and share your feedback!

Contact

Twitter: https://x.com/fatihclk01

Linkedin: https://tr.linkedin.com/in/fatih--celik

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

Write a response