def test_single_factory_usage(self, mock_client):
current_id = 1234
def create_resource():
nonlocal current_id
output = current_id
current_id += 1
return output
fuzz_lightyear.register_factory('id')(create_resource)
responses = validate_sequence(
[
FuzzingRequest(
tag='sequence',
operation_id='post_bravo_one',
),
FuzzingRequest(
tag='sequence',
operation_id='get_bravo_two',
),
],
ResponseSequence(),
)
assert responses.responses[-1] == 1234
assert current_id != 1234
def test_invalid_request(mock_client):
with pytest.raises(HTTPError):
validate_sequence(
[
FuzzingRequest(
tag='constant',
operation_id='get_will_throw_error',
code=400,
),
],
ResponseSequence(),
)
def test_skipped_due_to_no_inputs(mock_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='basic',
operation_id='get_no_inputs_required',
),
],
ResponseSequence(),
)
assert responses.data['session'] == 'victim_session'
assert responses.test_results == {}
def test_basic(mock_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='basic',
operation_id='get_private_listing',
id=1,
),
],
ResponseSequence(),
)
assert responses.data['session'] == 'victim_session'
assert responses.test_results['IDORPlugin']
def test_valid_request_skip_idor_manually_excluded(
mock_client,
non_vulnerable_operations,
):
responses = validate_sequence(
[
FuzzingRequest(
tag='basic',
operation_id='get_public_listing',
),
],
ResponseSequence(),
)
assert isinstance(responses.data['value'], str)
assert responses.test_results == {}
def test_basic(self, mock_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='sequence',
operation_id='post_alpha_one',
),
FuzzingRequest(
tag='sequence',
operation_id='get_alpha_two',
),
],
ResponseSequence(),
)
# This value is returned from `post_alpha_one`. If they were
# independently fuzzed, it would not be this value.
assert responses.responses[-1] == 'ok'
def mock_result(self, *cases, test_results=None, client=None):
request_sequence = []
for case in cases:
request_sequence.append(FuzzingRequest(
tag='test',
**case,
), )
if client:
setattr(
client.test,
case['operation_id'],
self.mock_client_properties(**case),
)
result = FuzzingResult(request_sequence)
result.responses = ResponseSequence()
if test_results:
result.responses.test_results = test_results
return result
def test_side_effect_safe(mock_api_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='sequence',
operation_id='post_create_with_side_effect',
),
FuzzingRequest(
tag='user',
operation_id='get_get_user',
),
# This goes last, to test for IDOR.
FuzzingRequest(
tag='sequence',
operation_id='get_get_with_side_effect_safe',
),
],
ResponseSequence(),
)
assert responses.responses[1].created_resource
assert not responses.test_results['IDORPlugin']