Use example attribute to determine the value of a parameter

w3af/core/data/parsers/doc/open_api/parameters.py

@@ -102,6 +102,7 @@ def _fix_common_spec_issues(self):
         self._fix_string_format()
         self._fix_string_with_invalid_format()
         self._fix_bad_default_for_number_type()
+        self._fix_bad_example_for_number_type()
 
     def _fix_string_format(self):
         """
@@ -202,6 +203,46 @@ def _fix_bad_default_for_number_type(self):
 
             parameter.param_spec['default'] = 0
 
+    def _fix_bad_example_for_number_type(self):
+        """
+        Sometimes developers set the example value to something that is not
+        valid for the type / format they specify.
+
+            {
+                "example": "",              <--------- THIS
+                "type": "string",
+                "name": "fields[Users]",
+                "in": "query",
+                "format": "int64",          <--------- THIS
+                "required": false,
+                "description": "Fields to be selected (csv)"
+            }
+
+        >>> long('')
+        ValueError: invalid literal for long() with base 10: ''
+
+        Just set a default value of zero if an empty string is specified.
+
+        :return: None
+        """
+        fix_formats = ['double', 'float', 'int32', 'int64']
+
+        for parameter_name, parameter in self.operation.params.iteritems():
+
+            param_format = parameter.param_spec.get('format', None)
+            param_example = parameter.param_spec.get('example', None)
+
+            if param_format not in fix_formats:
+                continue
+
+            if not isinstance(param_example, basestring):
+                continue
+
+            if param_example.isdigit():
+                continue
+
+            parameter.param_spec['example'] = 0
+
     def _set_param_value(self, parameter):
         """
         If the parameter has a default value, then we use that. If there is
@@ -213,13 +254,6 @@ def _set_param_value(self, parameter):
         :param parameter: The parameter for which we need to set a value
         :return: True if we were able to set the parameter value
         """
-        #
-        #   Easiest case, the parameter already has a default value
-        #
-        if parameter.default is not None:
-            parameter.fill = parameter.default
-            return True
-
         param_spec = parameter.param_spec
 
         value = self._get_param_value(param_spec)
@@ -256,7 +290,18 @@ def _get_param_value_for_type_and_spec(self, parameter_type, parameter_spec):
         :param parameter_spec: The parameter spec
         :return: The parameter value
         """
-        parameter_name = parameter_spec.get('name', None)
+        #
+        # Easiest cases, the parameter already has a default or example value
+        #
+        default_value = parameter_spec.get('default', None)
+
+        if default_value is not None:
+            return default_value
+
+        example_value = parameter_spec.get('example', None)
+
+        if example_value is not None:
+            return example_value
 
         # This handles the case where the value is an enum and can only be selected
         # from a predefined option list
@@ -289,6 +334,8 @@ def _get_param_value_for_type_and_spec(self, parameter_type, parameter_spec):
         if default_value is not None:
             return default_value
 
+        parameter_name = parameter_spec.get('name', None)
+
         if parameter_type == 'string':
             parameter_name = 'unknown' if parameter_name is None else parameter_name
             return smart_fill(parameter_name)

w3af/core/data/parsers/doc/open_api/tests/data/int_param_with_example_json.json

@@ -0,0 +1,71 @@
+{
+  "swagger": "2.0",
+  "info": {
+    "version": "1.0.0",
+    "title": "Swagger Petstore",
+    "description": "A sample API that uses a petstore as an example to demonstrate features in the swagger-2.0 specification",
+    "termsOfService": "http://swagger.io/terms/",
+    "contact": {
+      "name": "Swagger API Team"
+    },
+    "license": {
+      "name": "MIT"
+    }
+  },
+  "host": "petstore.swagger.io",
+  "basePath": "/api",
+  "schemes": [
+    "http"
+  ],
+  "consumes": [
+    "application/json"
+  ],
+  "produces": [
+    "application/json"
+  ],
+  "paths": {
+    "/pets": {
+      "post": {
+        "description": "Creates a new pet in the store.",
+        "operationId": "addPet",
+        "produces": [
+          "application/json"
+        ],
+        "parameters": [
+          {
+            "name": "pet",
+            "in": "body",
+            "description": "Pet to add to the store",
+            "required": true,
+            "schema": {
+              "$ref": "#/definitions/Pet"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "pet response",
+            "schema": {
+              "$ref": "#/definitions/Pet"
+            }
+          }
+        }
+      }
+    }
+  },
+  "definitions": {
+    "Pet": {
+      "type": "object",
+      "required": [
+        "count"
+      ],
+      "properties": {
+        "count": {
+          "type": "integer",
+          "format": "int32",
+          "example": 666999
+        }
+      }
+    }
+  }
+}

w3af/core/data/parsers/doc/open_api/tests/example_specifications.py

@@ -44,6 +44,11 @@ def get_specification(self):
         return file('%s/data/int_param_json.json' % CURRENT_PATH).read()
 
 
+class IntParamWithExampleJson(object):
+    def get_specification(self):
+        return file('%s/data/int_param_with_example_json.json' % CURRENT_PATH).read()
+
+
 class IntParamNoModelJson(object):
     def get_specification(self):
         return file('%s/data/int_param_no_model_json.json' % CURRENT_PATH).read()