search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.52k stars 283 forks source link

Dependency analysis failing with UUIDs and path variables different from Schemas #817

Closed Gby56 closed 9 months ago

Gby56 commented 9 months ago

Description

Hi !

I'm trying to increase my coverage and so far I don't understand how the compiler fails to identify the dependency, but I might have an idea.

I have these 2 paths:

bookId is a UUIDv4, that can be found from calling a simple GET on /books of course. I'm not sure that the compiler is able to understand the slightly weird camelCase for bookId ? I might try to rename all the camelcases to id to simplify the spec, hoping that it resolves to the parent path perhaps.

EDIT: Also a main concern: I'm not seeing any call to GET /books in the logs, but it should be a "starter" request as every other path depends on bookIds I think.

Gby56 commented 9 months ago

Oh... is that the AllowGetProducers option perhaps ? I'd like to have RESTler use some existing resources instead of trying to POST and reuse them

New hurdle: I think endpoints that produce a List/Array from a GET can also wrap their response in a pagination object, like:

{
    "paging": {
        "total": 12,
        "offset": 0,
        "limit": 1
    },
    "data": [
        {
            "id":1234,
            "name": "my book name"
        },....
    ]
}

And my spec seems to be broken, missing the pagination object...

Gby56 commented 9 months ago

Closing the issue with a feature idea: a diff/comparison mode to try requests and compare the OpenAPI spec with the responses, to make sure it's correct before starting :D