Skip to content

Commit

Permalink
more on security test
Browse files Browse the repository at this point in the history
  • Loading branch information
@arcuri82
arcuri82 committed May 8, 2024
1 parent c55d747 commit 5308562
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 5 deletions.
15 changes: 14 additions & 1 deletion core/src/main/kotlin/org/evomaster/core/problem/enterprise/EnterpriseIndividual.kt
View file
Expand Up @@ -32,7 +32,8 @@ import java.util.*
* per action, and not here in the initialization phase.
*/
abstract class EnterpriseIndividual(
val sampleType: SampleType,
//see https://discuss.kotlinlang.org/t/private-setter-for-var-in-primary-constructor/3640/11
private var sampleTypeField: SampleType,
/**
* a tracked operator to manipulate the individual (nullable)
*/
Expand Down Expand Up @@ -123,6 +124,18 @@ abstract class EnterpriseIndividual(
}
}

val sampleType get() = sampleTypeField

/**
* This should never happen directly during the search.
* However, we might manually create new individuals by modifying and copying existing individuals.
* In those cases it simple to modify the sample directly, instead of re-building with same actions
* (which actually could be a possibility...).
*/
fun modifySampleType(x: SampleType){
sampleTypeField = x
}

/**
* a list of db actions for its Initialization
*/
Expand Down
34 changes: 30 additions & 4 deletions core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
View file
Expand Up @@ -4,7 +4,6 @@ import com.google.inject.Inject
import javax.annotation.PostConstruct

import org.evomaster.core.logging.LoggingUtil
import org.evomaster.core.problem.api.param.Param
import org.evomaster.core.problem.enterprise.SampleType
import org.evomaster.core.problem.enterprise.auth.AuthSettings
import org.evomaster.core.problem.enterprise.auth.NoAuth
Expand All @@ -15,8 +14,9 @@ import org.evomaster.core.problem.rest.resource.RestResourceCalls

import org.evomaster.core.search.*
import org.evomaster.core.search.service.Archive
import org.evomaster.core.search.service.FitnessFunction
import org.evomaster.core.search.service.Randomness
import org.slf4j.Logger
import org.slf4j.LoggerFactory

//FIXME this needs to be cleaned-up

Expand All @@ -25,6 +25,10 @@ import org.evomaster.core.search.service.Randomness
*/
class SecurityRest {

companion object {
private val log: Logger = LoggerFactory.getLogger(SecurityRest::class.java)
}

/**
* Archive including test cases
*/
Expand Down Expand Up @@ -317,15 +321,37 @@ class SecurityRest {

val finalIndividual = individualToChooseForTest.copy() as RestIndividual
finalIndividual.addResourceCall(restCalls = RestResourceCalls(actions = mutableListOf(it), sqlActions = listOf()))
finalIndividual.modifySampleType(SampleType.SECURITY)

val evaluatedIndividual = fitness.computeWholeAchievedCoverageForPostProcessing(finalIndividual)
if(evaluatedIndividual == null){
log.warn("Failed to evaluate constructed individual in security testing phase")
return@forEach
}

//first, let's verify indeed second last action if a 403 DELETE. otherwise, it is a problem
val ema = evaluatedIndividual.evaluatedMainActions()
val secondLast = ema[ema.size-2]
if(!(secondLast.action is RestCallAction && secondLast.action.verb == HttpVerb.DELETE
&& secondLast.result is RestCallResult && secondLast.result.getStatusCode() == 403)){
log.warn("Issue with constructing evaluated individual. Expected a 403 DELETE, but got: $secondLast")
return@forEach
}

//now we can finally ask, is there a problem with last call?

//TODO new testing targets
/*
FIXME: if we do it only here, then we would lose this info if the test case is re-evaluated
for any reason... eg, in minimizer
need to think of a good, general solution...
let's do it directly in the fitness function, with new security test oracle
*/

// add the evaluated individual to the archive
if (evaluatedIndividual != null) {
archive.addIfNeeded(evaluatedIndividual)
}


}
}
Expand Down

0 comments on commit 5308562

Please sign in to comment.