fixed/improved SQLi construction

arcuri82 · arcuri82 · commit d73e82e82bf6 · 2026-02-05T10:00:31.000+01:00
diff --git a/core/src/main/kotlin/org/evomaster/core/EMConfig.kt b/core/src/main/kotlin/org/evomaster/core/EMConfig.kt
@@ -2650,10 +2650,9 @@ class EMConfig {
     @Cfg("Maximum allowed baseline response time (in milliseconds) before the malicious payload is applied.")
     var sqliBaselineMaxResponseTimeMs = 2000
 
-
     @Regex(faultCodeRegex)
     @Cfg("Disable oracles. Provide a comma-separated list of codes to disable. " +
-                "By default, all oracles are enabled."
+                "By default, all oracles are enabled. Codes are based on WFC (Web Fuzzing Commons)."
     )
     var disabledOracleCodes = ""
 
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
@@ -12,6 +12,7 @@ import org.evomaster.core.problem.enterprise.SampleType
 import org.evomaster.core.problem.enterprise.auth.AuthSettings
 import org.evomaster.core.problem.enterprise.auth.NoAuth
 import org.evomaster.core.problem.externalservice.HostnameResolutionAction
+import org.evomaster.core.problem.httpws.HttpWsCallResult
 import org.evomaster.core.problem.httpws.auth.HttpWsAuthenticationInfo
 import org.evomaster.core.problem.httpws.auth.HttpWsNoAuth
 import org.evomaster.core.problem.rest.*
@@ -341,8 +342,9 @@ class SecurityRest {
 
     private fun handleSqlICheck(){
 
-        mainloop@ for(action in actionDefinitions){
+        val K = config.sqliBaselineMaxResponseTimeMs
 
+        mainloop@ for(action in actionDefinitions){
 
             // Find individuals with 2xx response for this endpoint
             val successfulIndividuals = RestIndividualSelectorUtils.findIndividuals(
@@ -356,41 +358,49 @@ class SecurityRest {
                 continue
             }
 
-            // Take the smallest successful individual
-            val target = successfulIndividuals.minBy { it.individual.size() }
-
-            val actionIndex = RestIndividualSelectorUtils.findIndexOfAction(
-                target,
-                action.verb,
-                action.path,
-                statusGroup = StatusGroup.G_2xx
-            )
+            val candidates = successfulIndividuals.mapNotNull { ei ->
+                val actionIndex = RestIndividualSelectorUtils.findIndexOfAction(
+                    ei,
+                    action.verb,
+                    action.path,
+                    statusGroup = StatusGroup.G_2xx
+                )
 
-            if(actionIndex < 0){
-                continue
+                if(actionIndex < 0){
+                    null
+                } else {
+                    val action = ei.individual.seeMainExecutableActions()[actionIndex]
+                    val result = ei.seeResult(action.getLocalId()) as HttpWsCallResult
+                    val time = result.getResponseTimeMs()
+                    if(time == null || time >= K ){
+                        //make sure the call didn't take too long
+                        null
+                    } else {
+                        // Slice to keep only up to the target action
+                        RestIndividualBuilder.sliceAllCallsInIndividualAfterAction(ei.individual, actionIndex)
+                    }
+                }
             }
 
-            // Slice to keep only up to the target action
-            val sliced = RestIndividualBuilder.sliceAllCallsInIndividualAfterAction(
-                target.individual,
-                actionIndex
-            )
+            // Take the smallest successful individual
+            val target = candidates.minBy { it.size() }
 
             // Try each sqli payload (but only add one test per endpoint)
             for(payload in SQLI_PAYLOADS){
 
                 // Create a copy of the individual
-                var copy = sliced.copy() as RestIndividual
+                val copy = target.copy() as RestIndividual
                 val actionCopy = copy.seeMainExecutableActions().last() as RestCallAction
 
                 val genes = GeneUtils.getAllStringFields(actionCopy.parameters)
                     .filter { it.staticCheckIfImpactPhenotype() }
 
                 if(genes.isEmpty()){
-                    continue
+                    continue@mainloop
                 }
                 var anySuccess = false
 
+                //here we try to modify ALL potential genes
                 genes.forEach {
                         gene ->
                     val leafGene = gene.getLeafGene().getPhenotype()
@@ -413,7 +423,7 @@ class SecurityRest {
                     continue
                 }
 
-                val newInd = builder.merge(sliced, copy)
+                val newInd = builder.merge(target, copy)
 
                 newInd.modifySampleType(SampleType.SECURITY)
                 newInd.ensureFlattenedStructure()
@@ -432,7 +442,6 @@ class SecurityRest {
                     assert(added)
                     continue@mainloop
                 }
-
             }
         }
     }
diff --git a/docs/options.md b/docs/options.md
@@ -91,7 +91,7 @@ There are 3 types of options:
 |`customNaming`| __Boolean__. Enable custom naming and sorting criteria. *Default value*: `true`.|
 |`d`| __Double__. When weight-based mutation rate is enabled, specify a percentage of calculating mutation rate based on a number of candidate genes to mutate. For instance, d = 1.0 means that the mutation rate fully depends on a number of candidate genes to mutate, and d = 0.0 means that the mutation rate fully depends on weights of candidates genes to mutate. *Constraints*: `probability 0.0-1.0`. *Default value*: `0.8`.|
 |`dependencyFile`| __String__. Specify a file that saves derived dependencies. *DEBUG option*. *Default value*: `dependencies.csv`.|
-|`disabledOracleCodes`| __String__. Disable oracles. Provide a comma-separated list of codes to disable. By default, all oracles are enabled. *Constraints*: `regex (\s*\d{3}\s*(,\s*\d{3}\s*)*)?`. *Default value*: `""`.|
+|`disabledOracleCodes`| __String__. Disable oracles. Provide a comma-separated list of codes to disable. By default, all oracles are enabled. Codes are based on WFC (Web Fuzzing Commons). *Constraints*: `regex (\s*\d{3}\s*(,\s*\d{3}\s*)*)?`. *Default value*: `""`.|
 |`doCollectImpact`| __Boolean__. Specify whether to collect impact info that provides an option to enable of collecting impact info when archive-based gene selection is disable. *DEBUG option*. *Default value*: `false`.|
 |`doesApplyNameMatching`| __Boolean__. Whether to apply text/name analysis to derive relationships between name entities, e.g., a resource identifier with a name of table. *Default value*: `true`.|
 |`e_u1f984`| __Boolean__. QWN0aXZhdGUgdGhlIFVuaWNvcm4gTW9kZQ==. *Default value*: `false`.|
