search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.6k stars 297 forks source link

Question: Dependency Inference and/or annotation #444

Open wilsondy opened 2 years ago

wilsondy commented 2 years ago

Thanks for your help!

I have a dependency scheme as follows:

POST /customers {..body..} -> (response) {id:} POST /projects: {customerId: , ...} -> (response) {..etc..}

Based on the Annotations.md file, the ICSE19 paper and the dependencies related files I get from Compile, this doesn't seem to be supported in annotation format ( i can describe but don't get anything in dependencies.json ) nor automatically inferred; am I reading that right?

I have both query parameters and body parameters to work through... here's a sample of the annotations I've tried

image

marina-p commented 2 years ago

Hello @wilsondy,

This case cannot be inferred automatically, but your middle annotation above should have worked.

Here's a simple example below (will post in separate comment so it's easier to copy) where it does work for me with the latest RESTler . Would you be able to share a reduced repro of your schema (perhaps by adding onto the simple example above) which still has the problem that the dependency is not inferred?

Thanks,

Marina

marina-p commented 2 years ago

Simple working example:

{
  "openapi": "3.0.0",
  "servers": [
    {
      "url": "http://localhost:4000/"
    }
  ],
  "security": [
    {
      "bearerAuth": []
    }
  ],
  "paths": {
    "/customers": {
      "post": {
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/Customer"
              }
            }
          }
        },
        "responses": {
          "201": {
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/Customer"
                }
              }
            },
            "description": "Created"
          }
        }
      }
    },
    "/projects": {
      "post": {
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/Project"
              }
            }
          }
        },
        "responses": {
          "201": {
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/Project"
                }
              }
            },
            "description": "Created"
          }
        }
      }

    }
  },
  "components": {
    "schemas": {
      "Customer": {
        "properties": {
          "id": {
            "format": "uuid",
            "type": "string"
          }
        }
      },
      "Project": {
        "properties": {
          "customerId": {
            "format": "uuid",
            "type": "string"
          }
        }
      }
    }
  }
}

annotation file:

{
    "x-restler-global-annotations": [
        {
            "consumer_param": "customerId",
            "producer_resource_name": "id",
            "producer_method": "POST",
            "producer_endpoint": "/customers"
        }
    ]
}

config:

...
  "AnnotationFilePath": ".\\annotations.json",
...

The grammar has:

    primitives.restler_static_string("{"),
    primitives.restler_static_string("""
    "customerId":"""),
    primitives.restler_static_string(_customers_post_id.reader(), quoted=True),
    primitives.restler_static_string("}"),
wilsondy commented 2 years ago

I can't get your example to work for me. I thought maybe it was a Mac thing, so I tried Linux and Windows 2019 Server

For example, on Windows: Dotnet 5.0.404 Python 3.8.2 Restler freshly downloaded and built from main.

I took your files exactly, and here's my config file:

{ "SwaggerSpecConfig": [ { "SpecFilePath": "openapi.json", "AnnotationFilePath": "annotations.json" } ]

}

I know the annotations are being picked up, because If I create an invalid annotations json, it fails to compile.

What have I missed?

My grammar.py image

wilsondy commented 2 years ago

I found it... config property needs to be:

"ResolveBodyDependencies": true

marina-p commented 2 years ago

Hello, Great that you got it working. What's strange is that if I pass your exact config above with the two file paths and nothing else, in my setup the RESTler-generated Compile\config.json has a default value of true for this setting, but for some reason in your setup it sounds like it was being set to false. If you figured out why that was happening, would be great if you could share.