search

Endava / cats

CATS is a REST API Fuzzer and negative testing tool for OpenAPI endpoints. CATS automatically generates, runs and reports tests with minimum configuration and no coding effort. Tests are self-healing and do not require maintenance.
Apache License 2.0
1.19k stars 73 forks source link

NumberFormatException: input string #78

Closed security101 closed 1 year ago

security101 commented 1 year ago

CATS, version 9.0.1, build-time 2023-08-11T17:48:57Z UTC running environments: linux (centos)

openjdk version "17.0.6-ea" 2023-01-17 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.6.0.9-0.3.ea.el8) (build 17.0.6-ea+9-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.6.0.9-0.3.ea.el8) (build 17.0.6-ea+9-LTS, mixed mode, sharing)

command: java -jar cats.jar lint --contract=swagger.json

API definition of Dependency-Track (https://github.com/DependencyTrack/dependency-track) 

  "swagger" : "2.0",
  "info" : {
    "version" : "4.8.2",
    "title" : "Dependency-Track API"

error message:

[**********][*******] ▶ start      Start fuzzing path /v1/notification/publisher 
java.lang.NumberFormatException: For input string: "Alnum"
        at java.base/java.lang.NumberFormatException.forInputString(NumberFormatException.java:67)
        at java.base/java.lang.Integer.parseInt(Integer.java:668)
        at java.base/java.lang.Integer.parseInt(Integer.java:786)
        at
[swagger.json.zip](https://github.com/Endava/cats/files/12495904/swagger.json.zip)
 com.github.curiousoddman.rgxgen.parsing.dflt.DefaultTreeBuilder.handleRepeatInCurvyBraces(DefaultTreeBuilder.java:472)
        at com.github.curiousoddman.rgxgen.parsing.dflt.DefaultTreeBuilder.handleRepeat(DefaultTreeBuilder.java:518)
        at com.github.curiousoddman.rgxgen.parsing.dflt.DefaultTreeBuilder.handleRepeatCharacter(DefaultTreeBuilder.java:314)
        at com.github.curiousoddman.rgxgen.parsing.dflt.DefaultTreeBuilder.parseGroup(DefaultTreeBuilder.java:249)
        at com.github.curiousoddman.rgxgen.parsing.dflt.DefaultTreeBuilder.build(DefaultTreeBuilder.java:679)
        at com.github.curiousoddman.rgxgen.parsing.dflt.DefaultTreeBuilder.get(DefaultTreeBuilder.java:688)
        at com.github.curiousoddman.rgxgen.RgxGen.<init>(RgxGen.java:71)
        at com.github.curiousoddman.rgxgen.RgxGen.<init>(RgxGen.java:62)
        at com.endava.cats.generator.simple.StringGenerator.generateUsingRgxGenerator(StringGenerator.java:72)
        at com.endava.cats.generator.simple.StringGenerator.generate(StringGenerator.java:62)
        at com.endava.cats.generator.simple.StringGenerator.generateValueBasedOnMinMax(StringGenerator.java:159)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.getExampleFromStringSchema(OpenAPIModelGenerator.java:183)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.resolvePropertyToExample(OpenAPIModelGenerator.java:116)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.parseFromInnerSchema(OpenAPIModelGenerator.java:359)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.processSchemaProperties(OpenAPIModelGenerator.java:303)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.resolveModelToExample(OpenAPIModelGenerator.java:279)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.getExampleFromArraySchema(OpenAPIModelGenerator.java:248)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.resolvePropertyToExample(OpenAPIModelGenerator.java:120)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.parseFromInnerSchema(OpenAPIModelGenerator.java:359)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.processSchemaProperties(OpenAPIModelGenerator.java:303)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.resolveModelToExample(OpenAPIModelGenerator.java:279)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.getExampleFromArraySchema(OpenAPIModelGenerator.java:248)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.resolvePropertyToExample(OpenAPIModelGenerator.java:120)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.parseFromInnerSchema(OpenAPIModelGenerator.java:359)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.processSchemaProperties(OpenAPIModelGenerator.java:303)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.resolveModelToExample(OpenAPIModelGenerator.java:279)
        at com.endava.cats.model.generator.OpenAPIModelGenerator.generate(OpenAPIModelGenerator.java:96)
        at com.endava.cats.factory.FuzzingDataFactory.generateSample(FuzzingDataFactory.java:353)
        at com.endava.cats.factory.FuzzingDataFactory.getResponsePayloads(FuzzingDataFactory.java:581)
        at com.endava.cats.factory.FuzzingDataFactory.getFuzzDataForHttpMethod(FuzzingDataFactory.java:197)
        at com.endava.cats.factory.FuzzingDataFactory.getFuzzDataForPost(FuzzingDataFactory.java:154)
        at com.endava.cats.factory.FuzzingDataFactory.fromPathItem(FuzzingDataFactory.java:85)
        at com.endava.cats.factory.FuzzingDataFactory_ClientProxy.fromPathItem(Unknown Source)
        at com.endava.cats.command.CatsCommand.fuzzPath(CatsCommand.java:312)
        at com.endava.cats.command.CatsCommand.startFuzzing(CatsCommand.java:230)
        at com.endava.cats.command.CatsCommand.doLogic(CatsCommand.java:183)
        at com.endava.cats.command.CatsCommand.run(CatsCommand.java:137)
        at com.endava.cats.command.LintCommand.run(LintCommand.java:58)
        at picocli.CommandLine.executeUserObject(CommandLine.java:2026)
        at picocli.CommandLine.access$1500(CommandLine.java:148)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2461)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2453)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2415)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2273)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2417)
        at picocli.CommandLine.execute(CommandLine.java:2170)
        at com.endava.cats.CatsMain.run(CatsMain.java:36)
        at com.endava.cats.CatsMain_ClientProxy.run(Unknown Source)
        at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:132)
        at io.quarkus.runtime.Quarkus.run(Quarkus.java:71)
        at io.quarkus.runtime.Quarkus.run(Quarkus.java:44)
        at io.quarkus.runner.GeneratedMain.main(Unknown Source)

swagger.json.zip

en-milie commented 1 year ago

Hi @security101. Thank you for this one also. I'll pick this up this week.

en-milie commented 1 year ago

I recommend changing the regex from ^\\p{Alnum}*$ to ^[\\p{Alnum}]*$. The library used to generate random data interprets the curly braces as length tags.

en-milie commented 1 year ago

O will close this now. Please use the fix suggested in the previous comment.