search

Yelp / fuzz-lightyear

A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
Other
205 stars 25 forks source link

petstore fails with JSONDecodeError on user.loginUser #1

Open domanchi opened 5 years ago

domanchi commented 5 years ago

Reproduction Steps

$ fuzz-lightyear https://petstore.swagger.io/v2/swagger.json -v -t user.loginUser
...
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Analysis

Looking at the issue, it looks like petstore's swagger specification doesn't specify it's types that it produces accurately.

...
/user/login:
  get:
    tags:
    - "user"
    summary: "Logs user into the system"
    operationId: "loginUser"
    produces:
    - "application/xml"
    - "application/json"

Bravado then interprets this value literally, and tries to JSON decode it, thereby causing a JSON decode error.

After all, in practice, it only returns a string:

$ curl -X GET 'https://petstore.swagger.io/v2/user/login?username=%08%1B%16%05&password=%F3%90%8D%B3+%2B%0C'
logged in user session:1563475979713

Action Steps

We need to decide whether we should accept this as "functioning by design", or whether we should work around this limitation, and modify our assumption that Swagger files are accurate.

OiCMudkips commented 5 years ago

My opinion is that we shouldn't be trying to work around invalid Swagger files. We've actually hit this before, but in that case the Swagger/OpenAPI maintainers just updated the examples to have a type field. (see Yelp/bravado#416 and OAI/OpenAPI-Specification#1923)

I couldn't figure out where the source code for petstore.swagger.io was before, but if it's open-source and you can find it, you can get free green boxes by submitting a PR to update the website :)