search

Endava / cats

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.
Apache License 2.0
1.11k stars 76 forks source link

[Bug]: Path parameters are not fuzzed for PUT/PATCH/POST methods #101

Closed ganeshnikam18 closed 1 month ago

ganeshnikam18 commented 4 months ago

Sample OpeAPI Definition:

paths: /test1/{orderId}: put: summary: Create a new resource parameters:

  • in: path name: orderId required: true schema: type: integer requestBody: description: Request payload required: true content: application/json: schema: $ref: '#/components/schemas/Order'
    responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/Order' '400': description: the server cannot or will not process the request due to something that is perceived to be a client error content: application/json: schema: $ref: '#/components/schemas/Order'
    '405': description: Invalid input content: application/json: schema: $ref: '#/components/schemas/Order'

components: schemas: Order: type: object properties: orderId: type: integer petId: type: number quantity: type: integer shipDate: type: string status: type: string description: Order Status example: approved enum:

  • placed
  • approved
  • delivered complete: type: boolean

What is the issue ? When CATS tool fuzzes above API for HappyPath Fuzzer, it does not fuzz the 'orderId' path parameter. The url is create like this: https://apiserver.com/test1/{oderId}

The requestBody (Order object) is fuzzed properly

Expected Behaviour Ideally the 'orderId' path parameter should be fuzzed. Reference from Swagger Doc: https://swagger.io/docs/specification/describing-parameters/#path-parameters

Common Parameters for All Methods of a Path Parameters shared by all operations of a path can be defined on the path level instead of the operation level. Path-level parameters are inherited by all operations of that path. A typical use case are the GET/PUT/PATCH/DELETE operations that manipulate a resource accessed via a path parameter.

For GET and DELETE method, the path parameter is fuzzed properly

en-milie commented 4 months ago

For POST/PUT/PATCH fuzzing is only happening at the request body level. Any path parameter must be supplied through the --urlParams argument. In your case it must be something like:

cats [OTHER ARGS] --urlParams "orderId:12345"

You can also use the -refData argument to supply a ref data file:

cats [OTHER ARGS] --refData refData.yaml

and refData.yaml has the following content:

/test1/{orderId}:
  orderId: 12345
ganeshnikam18 commented 4 months ago

I have checked both the option which you have mentioned. But these options are useful for parameters where we want to provide fix value for that path parameters. This may not be case for all path parameters. Like is above example "orderId" is a random number which is generated when that object is created in POST request.

For very large files, where there are large number of path parameters user may not create refData file.

For such parameters we should exploit it with different fuzzers for PUT/PATCH type of requests to validate the server's implementation.

So I think we should also fuzz the path parameters if --urlParams OR refData is not given.

en-milie commented 4 months ago

It seems like a good feature to have. I'll implement a fuzzer specific for this case. The current mechanism does not support simultaneous fuzzing for url and body.

ganeshnikam18 commented 2 months ago

@en-milie Does your fix in this commit add the fix for above issue ?

https://github.com/Endava/cats/commit/d368303a7b38e7ee0e831be676d6685682b149de

en-milie commented 1 month ago

@ganeshnikam18 No. It's this one: https://github.com/Endava/cats/commit/2d5318286291491e7437ea4b5fe9e0432a4d1c94

en-milie commented 1 month ago

I will close this now.