# Statically Checking Web API Requests in JavaScript

**Authors:** Erik Wittern, Annie T. T. Ying, Yunhui Zheng, Julian Dolby, Jim A., Laredo

arXiv: 1702.03906 · 2017-02-17

## TL;DR

This paper presents a static analysis approach to verify the correctness of web API requests in JavaScript, ensuring they conform to API specifications and identifying client-side errors.

## Contribution

It introduces a novel inter-procedural string analysis method to check API request validity against specifications at compile time in JavaScript.

## Key findings

- Achieved 96.0% precision in URL and method validation
- 87.9% precision in payload data validation
- Detected client-side errors in API requests

## Abstract

Many JavaScript applications perform HTTP requests to web APIs, relying on the request URL, HTTP method, and request data to be constructed correctly by string operations. Traditional compile-time error checking, such as calling a non-existent method in Java, are not available for checking whether such requests comply with the requirements of a web API. In this paper, we propose an approach to statically check web API requests in JavaScript. Our approach first extracts a request's URL string, HTTP method, and the corresponding request data using an inter-procedural string analysis, and then checks whether the request conforms to given web API specifications. We evaluated our approach by checking whether web API requests in JavaScript files mined from GitHub are consistent or inconsistent with publicly available API specifications. From the 6575 requests in scope, our approach determined whether the request's URL and HTTP method was consistent or inconsistent with web API specifications with a precision of 96.0%. Our approach also correctly determined whether extracted request data was consistent or inconsistent with the data requirements with a precision of 87.9% for payload data and 99.9% for query data. In a systematic analysis of the inconsistent cases, we found that many of them were due to errors in the client code. The here proposed checker can be integrated with code editors or with continuous integration tools to warn programmers about code containing potentially erroneous requests.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1702.03906/full.md

## Figures

10 figures with captions in the complete paper: https://tomesphere.com/paper/1702.03906/full.md

## References

31 references — full list in the complete paper: https://tomesphere.com/paper/1702.03906/full.md

---
Source: https://tomesphere.com/paper/1702.03906