Forgotten auth oracle #1243
Forgotten auth oracle #1243
Conversation
core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt
Outdated
Show resolved
Hide resolved
core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
Outdated
Show resolved
Hide resolved
core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
Outdated
Show resolved
Hide resolved
core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
Outdated
Show resolved
Hide resolved
| * GET /resources/42/ AUTH1 -> 200 | ||
| */ | ||
| private fun handleForbiddenAuthentication(){ | ||
| actionDefinitions.forEach { op -> |
There was a problem hiding this comment.
this algorithm needs to be updated and matching what described in notes.txt. i made an update there to clarify things
core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt
Outdated
Show resolved
Hide resolved
core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| // if the same path has authenticated and unauthenticated success requests | ||
| if(checkAnyAuth.isNotEmpty() && a200WithoutAuth.isNotEmpty()){ |
There was a problem hiding this comment.
I'm not sure if this will cause any problems.
There was a problem hiding this comment.
why this check? doesn't seem correct. you could have an open endpoint where you get a 200 with and without auth. actually, you might want to explicitely have such a case in the E2E, to make sure it is not wrongly labelled as a bug
| val candidates = RestIndividualSelectorUtils.findIndividuals( | ||
| individualsInSolution, | ||
| op.verb, | ||
| op.path, |
There was a problem hiding this comment.
When the verb is PUT/POST, there is only one request left in here.
For example;
PUT /request 201 Auth -> FOO
GET /request 200 Auth -> FOO
Then only:
PUT /request 201 Auth -> FOO remains. Here, when FOO is replaced with NoAuth;
PUT /request 201 Auth -> NOAUTH becomes. There is no point in sending this request alone. I need to do something for such cases.
There was a problem hiding this comment.
sorry, not sure i follow this discussion
core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt
Outdated
Show resolved
Hide resolved
| it.auth !is NoAuth | ||
| } | ||
|
|
||
| // if the same path has authenticated and unauthenticated success requests |
There was a problem hiding this comment.
should be endpoint, not path
| } | ||
|
|
||
| // if the same path has authenticated and unauthenticated success requests | ||
| if(checkAnyAuth.isNotEmpty() && a200WithoutAuth.isNotEmpty()){ |
There was a problem hiding this comment.
why this check? doesn't seem correct. you could have an open endpoint where you get a 200 with and without auth. actually, you might want to explicitely have such a case in the E2E, to make sure it is not wrongly labelled as a bug
| individualsInSolution, | ||
| op.verb, | ||
| op.path, | ||
| statusGroup = StatusGroup.G_4xx, |
There was a problem hiding this comment.
this is not correct. it would pick any in 4xx, like 400 and 404
| individualsInSolution, | ||
| op.verb, | ||
| op.path, | ||
| statusGroup = StatusGroup.G_2xx |
There was a problem hiding this comment.
the auth check could be done here, there is parameter for it
| val candidates = RestIndividualSelectorUtils.findIndividuals( | ||
| individualsInSolution, | ||
| op.verb, | ||
| op.path, |
There was a problem hiding this comment.
sorry, not sure i follow this discussion
| ) | ||
| finalIndividual.seeMainExecutableActions().last().auth = HttpWsNoAuth() | ||
|
|
||
| finalIndividual.seeMainExecutableActions() |
There was a problem hiding this comment.
not following this... let's discuss it in our meeting
| actionResults: List<ActionResult>, | ||
| fv: FitnessValue | ||
| ) { | ||
| val getPaths = individual.seeMainExecutableActions() |
There was a problem hiding this comment.
should be on the endpoints, not paths. you can get it with the getName, which for REST actions is the endpoint
| val a = individual.seeMainExecutableActions()[index] | ||
| val r = actionResults.find { it.sourceLocalId == a.getLocalId() } as RestCallResult | ||
|
|
||
| if(a.auth is NoAuth && faultyPaths.contains(a.path) && r.getStatusCode() == 200){ |
There was a problem hiding this comment.
why 200? any in the 2xx family would do. can use checks in StatusGroup
|
|
||
| if(a.auth is NoAuth && faultyPaths.contains(a.path) && r.getStatusCode() == 200){ | ||
| val scenarioId = idMapper.handleLocalTarget( | ||
| idMapper.getFaultDescriptiveId(FaultCategory.SECURITY_FORGOTTEN_AUTHENTICATION, a.getName()) |
There was a problem hiding this comment.
yep, here the a.getName() is the endpoint VERB:PATH
No description provided.