def mutant_smart_fill(freq, dc_copy, ignore_pname, ignore_index, fuzzer_config): ''' :param freq: The fuzzable request (original request instance) we're fuzzing :param ignore_pname: A parameter name to ignore :param ignore_index: The index we want to ignore :return: A data container that has been filled using smart_fill, ignoring the parameters that I'm fuzzing and filling the file inputs with valid image file. ''' for var_name_dc in dc_copy: for element_index_dc, element_value_dc in enumerate(dc_copy[var_name_dc]): if (var_name_dc, element_index_dc) == (ignore_pname, ignore_index): continue if dc_copy.get_type(var_name_dc) in AVOID_FILLING_FORM_TYPES: continue # Fill only if the parameter does NOT have a value set. # # The reason of having this already set would be that the form # has something like this: # # <input type="text" name="p" value="foobar"> # if dc_copy[var_name_dc][element_index_dc] == '': # # Fill it smartly # dc_copy[var_name_dc][ element_index_dc] = smart_fill(var_name_dc) # Please see the comment above (search for __HERE__) for an explanation # of what we are doing here: for var_name in freq.get_file_vars(): # Try to upload a valid file extension = fuzzer_config.get('fuzz_form_files') or 'gif' success, file_content, file_name = get_file_from_template(extension) # I have to create the NamedStringIO with a "name", # required for MultipartPostHandler str_file = NamedStringIO(file_content, name=file_name) # TODO: Is this hard-coded [0] enough? dc_copy[var_name][0] = str_file return dc_copy
def test_get_file_from_template_false(self): success, file_content, file_name = get_file_from_template('swf') self.assertFalse(success) self.assertTrue(file_name.endswith('.swf'), file_name)
def test_get_file_from_template_true(self): success, file_content, file_name = get_file_from_template('gif') self.assertTrue(success) self.assertIn('GIF', file_content) self.assertTrue(file_name.endswith('.gif'), file_name)