search

blst-security / cherrybomb

Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
https://www.blstsecurity.com/cherrybomb
Apache License 2.0
1.11k stars 78 forks source link

Stack overflow with circular references. #26

Open pms1969 opened 2 years ago

pms1969 commented 2 years ago

Describe the bug When trying to analyse a specific swagger.json file, cherrybomb exits with a stack overflow.

To Reproduce Steps to reproduce the behavior:

  1. extract the zip file; the json file contained within is 129 lines long; too big to paste here sensibly but not extravagant
  2. run cherrybomb oas -f ./mvr.json mvr.json.zip
  3. See error; 
    
No config file was loaded to the scan, default configuration is being used

thread 'main' has overflowed its stack fatal runtime error: stack overflow [1] 27024 abort cherrybomb oas -f ./mvr.json



**Expected behavior**
I would expect cherrybomb to identify the circular reference  and warn on it.

**Desktop (please complete the following information):**
 - OS: MacOS
 - Version 12.x

**Additional context**
The json setup of the swagger file won't make much sense.  I sanitised it, and reduced what was a ~9k line file into something as small as I was willing to go without spending too much time on it.  It reliably reproduces the problem I was observing.

Discussed in discord.
ThaDaVos commented 2 years ago

I am having the same issue - was looking for a OpenAPI 3 validator, found cherrybomb (which looks amazing) - but sadly it fails when the api-docs contains circular references, in my case, this is caused because we have schema's referencing each other because of two way relations stuff

RazMag commented 2 years ago

Ive added for now a specific panic for circular references. Will soon add this as a passive test