Merge pull request #932 from EMResearch/security-testing

Security Testing Continues from A New Branch
WebFuzzing · May 22, 2024 · 0d6e01b · 0d6e01b
2 parents cad44a9 + 7ff1e87
commit 0d6e01b
Show file tree

Hide file tree

Showing 17 changed files with 1,488 additions and 647 deletions.
diff --git a/.../src/main/kotlin/bar/examples/it/spring/multipleendpoints/MultipleEndpointsApplication.kt b/.../src/main/kotlin/bar/examples/it/spring/multipleendpoints/MultipleEndpointsApplication.kt
@@ -0,0 +1,251 @@
+package bar.examples.it.spring.multipleendpoints
+
+import org.springframework.boot.SpringApplication
+import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
+import org.springframework.http.ResponseEntity
+import org.springframework.web.bind.annotation.*
+
+@SpringBootApplication(exclude = [SecurityAutoConfiguration::class])
+@RequestMapping(path = ["/api"])
+@RestController
+open class MultipleEndpointsApplication {
+
+
+    companion object {
+        @JvmStatic
+        fun main(args: Array<String>) {
+            SpringApplication.run(MultipleEndpointsApplication::class.java, *args)
+        }
+    }
+
+
+    // GET methods
+
+    /**
+     * Get endpoint 1 with identifier endpointIdentifier, returns 200 as response.
+     */
+    @GetMapping("/endpoint1/{endpointIdentifier}")
+    open fun getByIdEndpoint1(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(201).body("endpoint1_GET : $endpointIdentifier")
+    }
+
+    /**
+     * Get endpoint 1 with the given status code as the response.
+     */
+    @GetMapping("/endpoint1/setStatus/{status}")
+    open fun getResponseWithGivenStatusEndpoint1(@PathVariable status: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(status).body("endpoint1_SET_STATUS")
+    }
+
+    /**
+     * Get endpoint 2 with identifier endpointIdentifier, returns 201 as response.
+     */
+    @GetMapping("/endpoint2/{endpointIdentifier}")
+    open fun getByIdEndpoint2(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(202).body("endpoint2_GET : $endpointIdentifier")
+    }
+
+    /**
+     * Get endpoint 2 with the given status code as the response.
+     */
+    @GetMapping("/endpoint2/setStatus/{status}")
+    open fun getResponseWithGivenStatusEndpoint2(@PathVariable status: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(status).body("endpoint2_SET_STATUS")
+    }
+
+    /**
+     * Get endpoint 3 with identifier endpointIdentifier, returns 202 as response.
+     */
+    @GetMapping("/endpoint3/{endpointIdentifier}")
+    open fun getByIdEndpoint3(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(203).body("endpoint3_GET : $endpointIdentifier")
+    }
+
+    /**
+     * Get endpoint 3 with the given status code as the response.
+     */
+    @GetMapping("/endpoint3/setStatus/{status}")
+    open fun getResponseWithGivenStatusEndpoint3(@PathVariable status: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(status).body("endpoint3_SET_STATUS")
+    }
+
+    /**
+     * Get endpoint 4 with identifier endpointIdentifier, returns 203 as response.
+     */
+    @GetMapping("/endpoint4/{endpointIdentifier}")
+    open fun getByIdEndpoint4(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(204).body("endpoint4_GET : $endpointIdentifier")
+    }
+
+    /**
+     * Get endpoint 4 with the given status code as the response.
+     */
+    @GetMapping("/endpoint4/setStatus/{status}")
+    open fun getResponseWithGivenStatusEndpoint4(@PathVariable status: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(status).body("endpoint4_SET_STATUS")
+    }
+
+    /**
+     * Get endpoint 5 with identifier endpointIdentifier, returns 204 as response.
+     */
+    @GetMapping("/endpoint5/{endpointIdentifier}")
+    open fun getByIdEndpoint5(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(205).body("endpoint5_GET : $endpointIdentifier")
+    }
+
+    /**
+     * Get endpoint 5 with the given status code as the response.
+     */
+    @GetMapping("/endpoint5/setStatus/{status}")
+    open fun getResponseWithGivenStatusEndpoint5(@PathVariable status: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(status).body("endpoint5_SET_STATUS")
+    }
+
+    /**
+     * POST endpoint 1, returns 301
+     */
+    @PostMapping("/endpoint1")
+    open fun postEndpoint1() : ResponseEntity<String> {
+
+        return ResponseEntity.status(301).body("endpoint1_POST")
+    }
+
+    /**
+     * POST endpoint 2, returns 302
+     */
+    @PostMapping("/endpoint2")
+    open fun postEndpoint2() : ResponseEntity<String> {
+
+        return ResponseEntity.status(302).body("endpoint2_POST")
+    }
+
+    /**
+     * POST endpoint 3, returns 303
+     */
+    @PostMapping("/endpoint3")
+    open fun postEndpoint3() : ResponseEntity<String> {
+
+        return ResponseEntity.status(303).body("endpoint3_POST")
+    }
+
+    /**
+     * POST endpoint 4, returns 304
+     */
+    @PostMapping("/endpoint4")
+    open fun postEndpoint4() : ResponseEntity<String> {
+
+        return ResponseEntity.status(304).body("endpoint4_POST")
+    }
+
+    /**
+     * POST endpoint 5, returns 305
+     */
+    @PostMapping("/endpoint5")
+    open fun postEndpoint5() : ResponseEntity<String> {
+
+        return ResponseEntity.status(305).body("endpoint5_POST")
+    }
+
+    /**
+     * PUT endpoint 1, returns 401
+     */
+    @PutMapping("/endpoint1/{endpointIdentifier}")
+    open fun putByIdEndpoint1(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(401).body("endpoint1_PUT : $endpointIdentifier")
+    }
+
+    /**
+     * PUT endpoint 2, returns 402
+     */
+    @PutMapping("/endpoint2/{endpointIdentifier}")
+    open fun putByIdEndpoint2(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(402).body("endpoint2_PUT : $endpointIdentifier")
+    }
+
+    /**
+     * PUT endpoint 3, returns 403
+     */
+    @PutMapping("/endpoint3/{endpointIdentifier}")
+    open fun putByIdEndpoint3(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(403).body("endpoint3_PUT : $endpointIdentifier")
+    }
+
+    /**
+     * PUT endpoint 4, returns 404
+     */
+    @PutMapping("/endpoint4/{endpointIdentifier}")
+    open fun putByIdEndpoint4(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(404).body("endpoint4_PUT : $endpointIdentifier")
+    }
+
+    /**
+     * PUT endpoint 5, returns 405
+     */
+    @PutMapping("/endpoint5/{endpointIdentifier}")
+    open fun putByIdEndpoint5(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(405).body("endpoint5_PUT : $endpointIdentifier")
+    }
+
+    /**
+     * DELETE endpoint 1, returns 501
+     */
+    @DeleteMapping("/endpoint1/{endpointIdentifier}")
+    open fun deleteByIdEndpoint1(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(501).body("endpoint1_DELETE : $endpointIdentifier")
+    }
+
+    /**
+     * DELETE endpoint 2, returns 502
+     */
+    @DeleteMapping("/endpoint2/{endpointIdentifier}")
+    open fun deleteByIdEndpoint2(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(502).body("endpoint2_DELETE : $endpointIdentifier")
+    }
+
+    /**
+     * DELETE endpoint 3, returns 503
+     */
+    @DeleteMapping("/endpoint3/{endpointIdentifier}")
+    open fun deleteByIdEndpoint3(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(503).body("endpoint3_DELETE : $endpointIdentifier")
+    }
+
+    /**
+     * DELETE endpoint 4, returns 504
+     */
+    @DeleteMapping("/endpoint4/{endpointIdentifier}")
+    open fun deleteByIdEndpoint4(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(504).body("endpoint4_DELETE : $endpointIdentifier")
+    }
+
+    /**
+     * DELETE endpoint 5, returns 505
+     */
+    @DeleteMapping("/endpoint5/{endpointIdentifier}")
+    open fun deleteByIdEndpoint5(@PathVariable endpointIdentifier: Int) : ResponseEntity<String> {
+
+        return ResponseEntity.status(505).body("endpoint5_DELETE : $endpointIdentifier")
+    }
+
+
+}
diff --git a/...t/src/test/kotlin/bar/examples/it/spring/multipleendpoints/MultipleEndpointsController.kt b/...t/src/test/kotlin/bar/examples/it/spring/multipleendpoints/MultipleEndpointsController.kt
@@ -0,0 +1,5 @@
+package bar.examples.it.spring.multipleendpoints
+
+import bar.examples.it.spring.SpringController
+
+class MultipleEndpointsController : SpringController(MultipleEndpointsApplication::class.java)
diff --git a/...rg/evomaster/core/problem/rest/selectorutils/RestIndividualSelectorUtilsPathStatusTest.kt b/...rg/evomaster/core/problem/rest/selectorutils/RestIndividualSelectorUtilsPathStatusTest.kt
@@ -1,11 +1,9 @@
 package org.evomaster.core.problem.rest.selectorutils
 
 import bar.examples.it.spring.pathstatus.PathStatusController
-import org.evomaster.core.problem.rest.HttpVerb
-import org.evomaster.core.problem.rest.IntegrationTestRestBase
-import org.evomaster.core.problem.rest.RestIndividualSelectorUtils
-import org.evomaster.core.problem.rest.RestPath
+import org.evomaster.core.problem.rest.*
 import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.BeforeAll
 import org.junit.jupiter.api.Test
 
@@ -19,7 +17,6 @@ class RestIndividualSelectorUtilsPathStatusTest : IntegrationTestRestBase(){
         }
     }
 
-
     @Test
     fun testPathStatus(){
 
@@ -45,6 +42,67 @@ class RestIndividualSelectorUtilsPathStatusTest : IntegrationTestRestBase(){
 
         val r1 = RestIndividualSelectorUtils.findIndividuals(individuals, HttpVerb.GET, byStatus, 500)
         assertEquals(0, r1.size)
+
+        val r2 = RestIndividualSelectorUtils.findIndividuals(individuals, HttpVerb.GET, others, 200)
+        assertEquals(2, r2.size)
+    }
+
+    @Test
+    fun testIndex(){
+
+        val pirTest = getPirToRest()
+
+        val byStatus = RestPath("/api/pathstatus/byStatus/{status}")
+        val others = RestPath("/api/pathstatus/others/{x}")
+
+        val s200 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/200")!!
+        val s400 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/400")!!
+        val o200 = pirTest.fromVerbPath("get", "/api/pathstatus/others/200")!!
+
+        val x = createIndividual(listOf(s200,s400,o200,s200.copy() as RestCallAction))
+
+        assertEquals(2, x.individual.getActionIndex(HttpVerb.GET, others))
+        assertTrue(x.individual.getActionIndex(HttpVerb.POST, others) < 0)
+
+        assertEquals(0, x.individual.getActionIndex(HttpVerb.GET, byStatus))
+    }
+
+
+    @Test
+    fun testFindAction() {
+
+        val pirTest = getPirToRest()
+
+        val others = RestPath("/api/pathstatus/others/{x}")
+
+        // create 10 actions
+        val action1 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/200")!!
+        val action2 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/201")!!
+        val action3 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/202")!!
+        val action4 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/204")!!
+        val action5 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/301")!!
+        val action6 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/302")!!
+        val action7 = pirTest.fromVerbPath("get", "/api/pathstatus/others/304")!!
+        val action8 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/401")!!
+        val action9 = pirTest.fromVerbPath("get", "/api/pathstatus/others/402")!!
+        val action10 = pirTest.fromVerbPath("get", "/api/pathstatus/byStatus/404")!!
+
+        val createdIndividualFirst = createIndividual(listOf(action1, action2, action3, action4, action5))
+        val createdIndividualSecond = createIndividual(listOf(action6, action7, action8, action9, action10))
+
+        val listOfIndividuals = listOf(createdIndividualFirst, createdIndividualSecond)
+
+        // find action with GET request
+        val actionWithGet = RestIndividualSelectorUtils.findAction(listOfIndividuals, HttpVerb.GET) as RestCallAction
+        assertTrue(actionWithGet.verb == HttpVerb.GET)
+
+        // find action with get request having path as others and status code as 200
+        val eval = RestIndividualSelectorUtils.findEvaluatedAction(listOfIndividuals, HttpVerb.GET, others, 200 )
+        val actionWithPathOthers = eval!!.action as RestCallAction
+        val actionWithPathOthersResult = eval.result as RestCallResult
+
+        assertTrue(actionWithPathOthers.verb == HttpVerb.GET)
+        assertTrue(actionWithPathOthersResult.getStatusCode() == 200)
     }
 
 }