A pytest-inspired, DAST framework, capable of identifying vulnerabilities in a distributed, micro-service ecosystem through chaos engineering testing and stateful, Swagger fuzzing.
tl;dr Fix the merging algorithm to not modify input dictionaries
Before, we were correctly merging the headers dictionary separately, since a top-level update would not merge the dictionaries correctly. However, we forgot to apply the same algorithm for the _request_options dictionary. This worked in tests because we don't have anything aside from headers in _request_options in the tests`.
However, this meant that we were actually re-using, and mutating the dictionary notated with a # THIS comment in the result. It turns out that this dictionary is the auth dictionary in FuzzingRequest.send(), and auth is cached. Thus, _merge_kwargs was modifying and polluting the cache.
Thus, the fix was to create a new _request_options dictionary for the output.
tl;dr Fix the merging algorithm to not modify input dictionaries
Before, we were correctly merging the
headersdictionary separately, since a top-levelupdatewould not merge the dictionaries correctly. However, we forgot to apply the same algorithm for the_request_optionsdictionary. This worked in tests because we don't have anything aside fromheadersin_request_optionsin the tests`.However, this meant that we were actually re-using, and mutating the dictionary notated with a
# THIScomment in the result. It turns out that this dictionary is theauthdictionary inFuzzingRequest.send(), andauthis cached. Thus,_merge_kwargswas modifying and polluting the cache.Thus, the fix was to create a new
_request_optionsdictionary for the output.