def test_invalid_request(mock_client):
with pytest.raises(HTTPError):
validate_sequence(
[
FuzzingRequest(
tag='constant',
operation_id='get_will_throw_error',
code=400,
),
],
ResponseSequence(),
)
def test_single_factory_usage(self, mock_client):
current_id = 1234
def create_resource():
nonlocal current_id
output = current_id
current_id += 1
return output
fuzz_lightyear.register_factory('id')(create_resource)
responses = validate_sequence(
[
FuzzingRequest(
tag='sequence',
operation_id='post_bravo_one',
),
FuzzingRequest(
tag='sequence',
operation_id='get_bravo_two',
),
],
ResponseSequence(),
)
assert responses.responses[-1] == 1234
assert current_id != 1234
def test_failed_sequence_should_not_be_successful(mock_client):
result = FuzzingResult([
FuzzingRequest(
tag='sequence',
operation_id='post_alpha_one',
),
FuzzingRequest(
tag='constant',
operation_id='get_will_throw_error',
),
FuzzingRequest(
tag='sequence',
operation_id='get_alpha_two',
),
])
with pytest.raises(HTTPError):
validate_sequence(result.requests, result.responses)
assert not result.is_successful()
def test_skipped_due_to_no_inputs(mock_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='basic',
operation_id='get_no_inputs_required',
),
],
ResponseSequence(),
)
assert responses.data['session'] == 'victim_session'
assert responses.test_results == {}
def test_basic(mock_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='basic',
operation_id='get_private_listing',
id=1,
),
],
ResponseSequence(),
)
assert responses.data['session'] == 'victim_session'
assert responses.test_results['IDORPlugin']
def test_valid_request_skip_idor_manually_excluded(
mock_client,
non_vulnerable_operations,
):
responses = validate_sequence(
[
FuzzingRequest(
tag='basic',
operation_id='get_public_listing',
),
],
ResponseSequence(),
)
assert isinstance(responses.data['value'], str)
assert responses.test_results == {}
def test_basic(self, mock_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='sequence',
operation_id='post_alpha_one',
),
FuzzingRequest(
tag='sequence',
operation_id='get_alpha_two',
),
],
ResponseSequence(),
)
# This value is returned from `post_alpha_one`. If they were
# independently fuzzed, it would not be this value.
assert responses.responses[-1] == 'ok'
def test_side_effect_safe(mock_api_client):
responses = validate_sequence(
[
FuzzingRequest(
tag='sequence',
operation_id='post_create_with_side_effect',
),
FuzzingRequest(
tag='user',
operation_id='get_get_user',
),
# This goes last, to test for IDOR.
FuzzingRequest(
tag='sequence',
operation_id='get_get_with_side_effect_safe',
),
],
ResponseSequence(),
)
assert responses.responses[1].created_resource
assert not responses.test_results['IDORPlugin']
def test_successful_sequence(mock_client, sequence):
result = FuzzingResult(sequence)
validate_sequence(result.requests, result.responses)
assert result.is_successful()