search

microsoft / restler-fuzzer

RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
MIT License
2.62k stars 303 forks source link

"Attempting to get resources from GET request..." ignores required GET parameters #872

Open wilbaker opened 8 months ago

wilbaker commented 8 months ago

Description

try_async_poll has logic to call GET after receiving an async response:

# Also, attempt to execute a GET request corresponding to this resource and
# return the response.  This is used in case all of the expected properties are
# not present in the async response.

And it does so using try_parse_GET_request.

try_parse_GET_request, in turn, uses make_GET_request to convert the request's rendered data to a GET with a matching endpoint:

    # Get the endpoint from the request data
    data_part = request_data.partition(DELIM)
    get_data = data_part[0]
    # Get the method
    method = get_data.partition(' ')[0]
    # Replace the request data's method with GET
    get_data = get_data.replace(method, 'GET')
    # Reinsert the closing delimiters before returning
    return get_data + data_part[1]

The issue that I've seen is that when this GET request is created, it does not respect the required parameters of the GET, and this results in a failure of the GET.

Steps to reproduce

Run RESTler against a service whose GET request for listing resources includes a required query parameter.

Expected results

make_GET_request includes the required parameter (and applies a custom value from the dictionary, when applicable).

Actual results

Required parameter is not included, and the GET request fails.

Environment details

RESTler 9.2.4