Skip to content

Commit b9bddf6

Browse files
dandersonappsecaidandersonappsecai
committed
The verification crawler in verifyFixed mode now does not execute a test if the fixed testcase code is identical to the unfixed code.
1 parent 0c9a3e2 commit b9bddf6

File tree

1 file changed

+58
-17
lines changed

1 file changed

+58
-17
lines changed

plugin/src/main/java/org/owasp/benchmarkutils/tools/BenchmarkCrawlerVerification.java

Lines changed: 58 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -176,16 +176,28 @@ protected void crawl(TestSuite testSuite) throws Exception {
176176
tLogger = tl;
177177

178178
List<TestCase> filteredList;
179-
if (selectedTestCaseName != null) {
179+
180+
if (Boolean.parseBoolean(verifyFixed)) {
180181
filteredList =
181182
testSuite.getTestCases().stream()
182183
.filter(
183184
testCase ->
184-
testCase.getName().equals(selectedTestCaseName))
185+
!isTestCaseIdentical(
186+
unfixedSourceDirectory,
187+
fixedSourceDirectory,
188+
testCase.getName()))
185189
.collect(Collectors.toList());
186190
} else {
187191
filteredList = testSuite.getTestCases();
188192
}
193+
if (selectedTestCaseName != null) {
194+
filteredList =
195+
filteredList.stream()
196+
.filter(
197+
testCase ->
198+
testCase.getName().equals(selectedTestCaseName))
199+
.collect(Collectors.toList());
200+
}
189201
for (TestCase testCase : filteredList) {
190202

191203
// if (this.selectedTestCaseName != null) {
@@ -434,20 +446,40 @@ protected void crawl(TestSuite testSuite) throws Exception {
434446
// cleanupSetups(setups);
435447
}
436448

437-
private boolean isTestCaseModified(
438-
String unfixedSourceDirectory, String fixedSourceDirectory, String testCaseName)
439-
throws IOException {
449+
private boolean isTestCaseIdentical(
450+
String unfixedSourceDirectory, String fixedSourceDirectory, String testCaseName) {
440451
// FIXME: Generalize this so it can support languages other than Java and multiple
441452
// source files per testcase.
442453
String unfixedSourceFile =
443454
Paths.get(unfixedSourceDirectory, testCaseName).toString() + ".java";
444455
String fixedSourceFile = Paths.get(fixedSourceDirectory, testCaseName).toString() + ".java";
445-
String unfixedSourceFileContents =
446-
new String(Files.readAllBytes(Paths.get(unfixedSourceFile)));
447-
String fixedSourceFileContents = new String(Files.readAllBytes(Paths.get(fixedSourceFile)));
456+
String unfixedSourceFileContents = null;
457+
try {
458+
unfixedSourceFileContents =
459+
new String(Files.readAllBytes(Paths.get(unfixedSourceFile)));
460+
} catch (IOException e) {
461+
System.out.println("ERROR: Could not read testcase source file " + unfixedSourceFile);
462+
e.printStackTrace();
463+
}
464+
String fixedSourceFileContents = null;
465+
try {
466+
fixedSourceFileContents = new String(Files.readAllBytes(Paths.get(fixedSourceFile)));
467+
} catch (IOException e) {
468+
System.out.println("ERROR: Could not read testcase source file " + fixedSourceFile);
469+
e.printStackTrace();
470+
}
471+
// DEBUG
472+
// System.out.println(
473+
// testCaseName
474+
// + ": isTestCaseIdentical() returning "
475+
// + (unfixedSourceFileContents != null
476+
// && fixedSourceFileContents != null
477+
// && unfixedSourceFileContents.equals(fixedSourceFileContents)));
448478

449479
// Skip testcase in verifyFixed mode if fixed source code is unchanged.
450-
return !unfixedSourceFileContents.equals(fixedSourceFileContents);
480+
return unfixedSourceFileContents != null
481+
&& fixedSourceFileContents != null
482+
&& unfixedSourceFileContents.equals(fixedSourceFileContents);
451483
}
452484

453485
private void printFixVerificationSummary() {
@@ -583,7 +615,7 @@ private void log(ResponseInfo responseInfo) throws IOException {
583615
* @throws LoggerConfigurationException
584616
*/
585617
protected void handleResponse(TestCaseVerificationResults results)
586-
throws FileNotFoundException, IOException, LoggerConfigurationException {
618+
throws FileNotFoundException, LoggerConfigurationException {
587619

588620
// Check to see if this specific test case has a specified expected response value.
589621
// If so, run it through verification using it's specific attackSuccessIndicator.
@@ -631,13 +663,14 @@ protected void handleResponse(TestCaseVerificationResults results)
631663
// } else {
632664
// verifyFix(unfixedResults, fixedResults);
633665
// }
634-
if (Boolean.parseBoolean(verifyFixed)
635-
&& isTestCaseModified(
636-
unfixedSourceDirectory,
637-
fixedSourceDirectory,
638-
unfixedResults.getTestCase().getName())) {
639-
verifyFix(unfixedResults, fixedResults);
640-
}
666+
// if (Boolean.parseBoolean(verifyFixed)
667+
// && !isTestCaseIdentical(
668+
// unfixedSourceDirectory,
669+
// fixedSourceDirectory,
670+
// unfixedResults.getTestCase().getName())) {
671+
// verifyFix(unfixedResults, fixedResults);
672+
// }
673+
verifyFix(unfixedResults, fixedResults);
641674
} else {
642675
System.out.println(
643676
"WARNING: After fix testcase is "
@@ -732,6 +765,14 @@ private boolean verifyFix(
732765
verifyFixOutput.setWasExploited(wasExploited);
733766
verifyFixOutput.setWasBroken(wasBroken);
734767

768+
// DEBUG
769+
try {
770+
String verifyFixOutputJson = Utils.objectToJson(verifyFixOutput);
771+
System.out.println("verifyFixOutput JSON: " + verifyFixOutputJson);
772+
} catch (Exception e) {
773+
e.printStackTrace();
774+
}
775+
735776
if (isVulnerable) {
736777
vulnerableTestcases.add(verifyFixOutput);
737778
if (wasNotVerifiable) {

0 commit comments

Comments
 (0)