Merge branch 'master' into phg/objectMapper-v2

Author: Pgarrett

README.md

@@ -227,10 +227,11 @@ Existing open-source tools for REST API fuzzing, with at least 100 stars on GitH
 [Fuzz-lightyear](https://github.com/Yelp/fuzz-lightyear),
 [ResTest](https://github.com/isa-group/RESTest),
 [Restler](https://github.com/microsoft/restler-fuzzer),
+[Schemathesis](https://github.com/schemathesis/schemathesis)
 and
-[Schemathesis](https://github.com/schemathesis/schemathesis).
+[WuppieFuzz](https://github.com/TNO-S3/WuppieFuzz).
 
-All these tools are _black-box_, i.e., they do not analyze the source-code of the tested APIs to generate more effective test data.
+Apart from WuppieFuzz, all these tools are _black-box_, i.e., they do not analyze the source-code of the tested APIs to generate more effective test data.
 As we are the authors of EvoMaster, we are too biased to compare it properly with those other black-box tools.
 However, different independent studies (e.g., in [2022](https://arxiv.org/abs/2204.08348) and [2024](https://arxiv.org/abs/2410.12547)) shows that EvoMaster is among the best performant.
 Furthermore, if your APIs are running on the JVM (e.g., written in Java or Kotlin), then EvoMaster has clearly an advantage, as it supports _white-box_ testing. 

core-tests/e2e-tests/spring/spring-rest-h2-v1/src/test/java/org/evomaster/e2etests/spring/examples/resource/db/ResourceDependencyDBEMTest.java

@@ -29,7 +29,7 @@ public void testRunEM(boolean heuristicsForSQLAdvanced) throws Throwable {
         runTestHandlingFlakyAndCompilation(
                 "ResourceEM",
                 "org.db.resource.ResourceEM" + (heuristicsForSQLAdvanced ? "Complete" : "Partial"),
-                1_000,
+                2_000,
                 true,
                 (args) -> {
                     // disable taint analysis

core-tests/e2e-tests/spring/spring-rest-mysql/src/test/kotlin/org/evomaster/e2etests/spring/rest/likecondition/LikeConditionEMTest.kt

@@ -37,7 +37,7 @@ class LikeConditionEMTest : RestTestBase() {
                 .apply {
                     assertTrue(isNotEmpty())
                     forEach {
-                        assertEquals("${RegexGene.DATABASE_REGEX_PREFIX}foo%", it.sourceRegex)
+                        assertEquals("foo%", it.sourceRegex)
                     }
                 }
 

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/main/kotlin/com/foo/rest/examples/spring/openapi/v3/security/ssrf/uri/SSRFUriApplication.kt

@@ -0,0 +1,64 @@
+package com.foo.rest.examples.spring.openapi.v3.security.ssrf.uri
+
+import io.swagger.v3.oas.annotations.Operation
+import io.swagger.v3.oas.annotations.responses.ApiResponse
+import io.swagger.v3.oas.annotations.responses.ApiResponses
+import org.springframework.boot.SpringApplication
+import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration
+import org.springframework.http.ResponseEntity
+import org.springframework.web.bind.annotation.GetMapping
+import org.springframework.web.bind.annotation.RequestMapping
+import org.springframework.web.bind.annotation.RequestParam
+import org.springframework.web.bind.annotation.RestController
+import java.net.HttpURLConnection
+import java.net.URI
+
+@SpringBootApplication(exclude = [SecurityAutoConfiguration::class])
+@RequestMapping(path = ["/api"])
+@RestController
+open class SSRFUriApplication {
+
+    companion object {
+        @JvmStatic
+        fun main(args: Array<String>) {
+            SpringApplication.run(SSRFUriApplication::class.java, *args)
+        }
+    }
+
+    @Operation(
+        summary = "GET endpoint to fetch data from remote source",
+        description = "Can be used to fetch data from remote source."
+    )
+    @ApiResponses(
+        value = [
+            ApiResponse(responseCode = "200", description = "Successful response"),
+            ApiResponse(responseCode = "204", description = "No data to fetch"),
+            ApiResponse(responseCode = "400", description = "Invalid request"),
+            ApiResponse(responseCode = "500", description = "Invalid server error")
+        ]
+    )
+    @GetMapping(path = ["/uri"])
+    open fun uriTest(@RequestParam dataSource: String): ResponseEntity<String> {
+        if (dataSource != null) {
+            return try {
+                val uri = URI(dataSource)
+                if (uri.scheme == "http") {
+                    val connection = uri.toURL().openConnection() as HttpURLConnection
+                    connection.requestMethod = "GET"
+                    connection.connectTimeout = 1000
+
+                    if (connection.responseCode == 200) {
+                        return ResponseEntity.status(200).body("OK")
+                    }
+                    ResponseEntity.status(204).body("Unable to fetch.")
+                }
+                ResponseEntity.status(204).body("Unable to fetch.")
+            } catch (e: Exception) {
+                ResponseEntity.status(204).body("Unable to fetch.")
+            }
+        }
+
+        return ResponseEntity.badRequest().body("Invalid request")
+    }
+}

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/com/foo/rest/examples/spring/openapi/v3/security/ssrf/uri/SSRFUriController.kt

@@ -0,0 +1,5 @@
+package com.foo.rest.examples.spring.openapi.v3.security.ssrf.uri
+
+import com.foo.rest.examples.spring.openapi.v3.SpringController
+
+class SSRFUriController: SpringController(SSRFUriApplication::class.java)

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/existenceleakage/SecurityExistenceLeakageNoExistenceEMTest.kt

@@ -26,7 +26,7 @@ class SecurityExistenceLeakageNoExistenceEMTest : SpringTestBase(){
 
         runTestHandlingFlakyAndCompilation(
                 "SecurityExistenceLeakageNoExistenceEM",
-                6000
+                10_000
         ) { args: MutableList<String> ->
 
             setOption(args, "security", "true")

core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/org/evomaster/e2etests/spring/openapi/v3/security/ssrf/uri/SSRFUriEMTest.kt

@@ -0,0 +1,46 @@
+package org.evomaster.e2etests.spring.openapi.v3.security.ssrf.uri
+
+import com.foo.rest.examples.spring.openapi.v3.security.ssrf.uri.SSRFUriController
+import org.evomaster.core.EMConfig
+import org.evomaster.core.problem.rest.data.HttpVerb
+import org.evomaster.e2etests.spring.openapi.v3.SpringTestBase
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.BeforeAll
+import org.junit.jupiter.api.Test
+
+class SSRFUriEMTest: SpringTestBase() {
+
+    companion object {
+        @BeforeAll
+        @JvmStatic
+        fun init() {
+            val config = EMConfig()
+            config.instrumentMR_NET = false
+            initClass(SSRFUriController(), config)
+        }
+    }
+
+    @Test
+    fun testSSRFUri() {
+        runTestHandlingFlakyAndCompilation(
+            "SSRFUriGeneratedTest",
+            30,
+        ) { args: MutableList<String> ->
+
+            // If mocking enabled, it'll spin new services each time when there is a valid URL.
+            setOption(args, "externalServiceIPSelectionStrategy", "NONE")
+
+            setOption(args, "security", "true")
+            setOption(args, "ssrf", "true")
+            setOption(args, "vulnerableInputClassificationStrategy", "MANUAL")
+            setOption(args, "schemaOracles", "false")
+
+            val solution = initAndRun(args)
+
+            assertTrue(solution.individuals.isNotEmpty())
+            assertTrue(solution.hasSsrfFaults())
+
+            assertHasAtLeastOne(solution, HttpVerb.GET, 200, "/api/uri", "OK")
+        }
+    }
+}

core-tests/e2e-tests/spring/spring-rest-postgres/src/test/kotlin/org/evomaster/e2etests/spring/rest/postgres/likecondition/LikeConditionEMTest.kt

@@ -41,7 +41,7 @@ class LikeConditionEMTest : RestTestBase() {
                 .apply {
                     assertTrue(isNotEmpty())
                     forEach {
-                        assertEquals("${RegexGene.DATABASE_REGEX_PREFIX}foo%", it.sourceRegex)
+                        assertEquals("foo%", it.sourceRegex)
                     }
                 }
 

core-tests/integration-tests/core-it/src/test/kotlin/org/evomaster/core/problem/rest/IntegrationTestRestBase.kt

@@ -5,6 +5,7 @@ import org.evomaster.core.EMConfig
 import org.evomaster.core.problem.enterprise.SampleType
 import org.evomaster.core.problem.rest.data.RestCallAction
 import org.evomaster.core.problem.rest.data.RestIndividual
+import org.evomaster.core.problem.rest.service.RestIndividualBuilder
 import org.evomaster.core.problem.rest.service.fitness.AbstractRestFitness
 import org.evomaster.core.problem.rest.service.sampler.AbstractRestSampler
 import org.evomaster.core.problem.rest.service.SecurityRest
@@ -54,6 +55,8 @@ abstract class IntegrationTestRestBase : RestTestBase() {
 
     fun getEMConfig() = injector.getInstance(EMConfig::class.java)
 
+    fun getBuilder() = injector.getInstance(RestIndividualBuilder::class.java)
+
     /**
      * Create and evaluate an individual
      */

core-tests/integration-tests/core-it/src/test/kotlin/org/evomaster/core/problem/rest/aiclassification/AIModelsCheck.kt

@@ -1,7 +1,6 @@
 package org.evomaster.core.problem.rest.aiclassification
 
 import bar.examples.it.spring.aiclassification.allornone.AllOrNoneController
-import bar.examples.it.spring.aiclassification.multitype.MultiTypeController
 import com.google.inject.Inject
 import org.evomaster.core.problem.enterprise.SampleType
 import org.evomaster.core.problem.rest.IntegrationTestRestBase
@@ -245,7 +244,7 @@ class AIModelsCheck : IntegrationTestRestBase() {
         val overAllMetrics = aiGlobalClassifier.estimateOverallMetrics()
         println("Overall Accuracy: ${overAllMetrics.accuracy}")
         println("Overall Precision400: ${overAllMetrics.precision400}")
-        println("Overall Recall400: ${overAllMetrics.recall400}")
+        println("Overall Recall400: ${overAllMetrics.sensitivity400}")
         println("Overall F1Score400: ${overAllMetrics.f1Score400}")
         println("Overall MCC: ${overAllMetrics.mcc}")