search

UnitTestBot / UTBotJava

Automated unit test generation and precise code analysis for Java
Apache License 2.0
132 stars 40 forks source link

Generated test didn't pass Spring Security's firewall. #2726

Open ancavar opened 9 months ago

ancavar commented 9 months ago

To Reproduce

  1. Add Spring Security to dependencies
  2. Generate integration tests for controller's method which has @PathVariable parameter.
    @GetMapping("/{name}")
    public String demo(@PathVariable String name) {
        return name;
    }

Expected behavior

Test should not fail.

Actual behavior

/**
     * @utbot.classUnderTest {@link BookController}
     * @utbot.methodUnderTest {@link BookController#demo(String)}
     */
    @Test
    @DisplayName("demo: name = '\uFFEA#$\\\"'' (mutated from '#$\\\"'') -> throw RequestRejectedException")
    public void testDemoThrowsRREWithNonEmptyString() throws Exception {
        UriComponentsBuilder uriComponentsBuilder = fromPath("/{name}");
        Map map = new HashMap();
        map.put("name", "\uFFEA#$\\\"'");
        UriComponentsBuilder uriComponentsBuilder1 = uriComponentsBuilder.uriVariables(map);
        String string = uriComponentsBuilder1.toUriString();
        Object[] objectArray = {};
        MockHttpServletRequestBuilder mockHttpServletRequestBuilder = get(string, objectArray);

        /* This test fails because method [org.springframework.test.web.servlet.MockMvc.perform] produces [org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "%25"]
            org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:369)
            org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:336)
            org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
            org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
            org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
            org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
            org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
            org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
            org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.test.web.servlet.MockMvc.perform(MockMvc.java:183) */
        mockMvc.perform(mockHttpServletRequestBuilder);
    }
    ///endregion