search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.57k stars 294 forks source link

Custom headers are not recognized during compilation #205

Open Gurubg1 opened 3 years ago

Gurubg1 commented 3 years ago

Hi, I have this in api spec

"parameters": [
          {
            "name": "roleName",
            "in": "path",
            "description": "Rolename as identifier.",
            "required": true,
            "schema": {
              "type": "string",

            }
          },
          {
            "name": "tenantId",
            "in": "path",
            "description": "TenantId as identifier.",
            "required": true,
            "schema": {
              "type": "integer",
              "format": "int64"
            }
          },
          {
            "name": "TenantId",
            "in": "header",
            "description": "Enter TenantId for successful operation when user or plug-in or on-premise app token is used.",
            "schema": {
              "type": "string",
              "description": "Provide TenantId if the operation is based on user token."
            }
          },
          {
            "name": "Authorization",
            "in": "header",
            "description": "Supported token types:<ul><li/>User token: <strong>yes</strong><li/>Cloud application token: <strong>yes</strong><li/>On-premise application token: <strong>yes</strong><li/>Receiver plugin token: <strong>yes</strong></ul>See also <a href='/docs/ services/teamplay/general-information/access-tokens'>Authorizing requests with access tokens</a>.",
            "required": true,
            "schema": {
              "type": "string",
              "description": "OAuth Jwt Bearer token",
              "default": "Bearer {access token}"
            }
          }
        ]

But after compilation it is not recognizing this tenantid header. Grammar.json file does not contain this:

"headers": [
        [
          "Accept",
          "application/json"
        ],
        [
          "Host",
          null
        ]
      ]

Also, grammar.py does not have it:

request = requests.Request([
    primitives.restler_static_string("GET "),
    primitives.restler_static_string("/"),
    primitives.restler_static_string("api"),
    primitives.restler_static_string("/"),
    primitives.restler_static_string("roles"),
    primitives.restler_static_string("/"),
    primitives.restler_fuzzable_string("fuzzstring", quoted=False),
    primitives.restler_static_string("/"),
    primitives.restler_static_string("tenants"),
    primitives.restler_static_string("/"),
    primitives.restler_fuzzable_int("1"),
    primitives.restler_static_string(" HTTP/1.1\r\n"),
    primitives.restler_static_string("Accept: application/json\r\n"),
    primitives.restler_static_string("Host: \r\n"),
    primitives.restler_refreshable_authentication_token("authentication_token_tag"),
    primitives.restler_static_string("\r\n"),

Is this feature supported?

marina-p commented 3 years ago

Hello @Gurubg1,

Support for this was recently added. Are you building the latest version of RESTler from the main branch?

marina-p commented 3 years ago

Nevermind, as you mentioned in the other issue, you are using the latest image from Docker hub to setup Restler. We've not deployed this feature to the container yet - this should take place sometime this week (look for when the RESTler version is modified).

Gurubg1 commented 3 years ago

Thanks very much @marina-p !! Taking the latest version from main branch and running locally has worked!

Gurubg1 commented 3 years ago

I have few other questions:

  1. Some of the parameters of the apis take urlencoded and base64 encoded strings. How to make RESTler send these?
  2. One of the APIs I am trying to fuzz returns 404 if requested resource ("fuzzstring" in this case) is not present. But, fuzzing stops after sending just one request and getting 404.
marina-p commented 3 years ago

RE: 1. Can you please include what the specification declares for these parameters/properties? These aren't supported at this point, but you may be able to work around this by specifying a 'restler_custom_payload' with already encoded values for the parameter.

RE: 2. Could you please add a bit more detail: which mode are you running (Test or Fuzz)? What behavior are you expecting? (for example, do you expect the 'fuzzstring' resource to be present? if you are able to share the relevant parts of the fuzzing grammar, that would be helpful too)

Gurubg1 commented 3 years ago

Thanks for the response! I have resolved my second question by adding few annotations. Now I am stuck at generating unique values for certain inputs. I tried using fuzzing dictionary with "restler_custom_payload_uuid4_suffix". But, my api spec is a open api version 3.0 spec. It does not have 'definitions' but has 'components'. Compiler does not seem to recognize it. But if I add another section in api spec with definitions as done here https://github.com/microsoft/restler-fuzzer/pull/96/files, it works. Is version 3 open api spec supported?

marina-p commented 3 years ago

Hello @Gurubg1,

V3.0 is supported - we'll investigate what's happening with this specific case and get back to you shortly.