adding empty draft of security module, integrated after the search #838
Conversation
|
solution = securityRest.applySecurityPhase() I executed Evomaster with the parameter --security true. I checked the generated unit test file. That file is empty since the method call "solution = securityRest.applySecurityPhase()" overrides the set of solutions with an empty set. |
| when(config.problemType){ | ||
| EMConfig.ProblemType.REST -> { | ||
| val securityRest = injector.getInstance(SecurityRest::class.java) | ||
| solution = securityRest.applySecurityPhase() |
There was a problem hiding this comment.
This line:
solution = securityRest.applySecurityPhase()
overrides the variable solution, which contains the set of tests other than security tests.
| class SecurityRest { | ||
|
|
||
| fun applySecurityPhase() : Solution<RestIndividual>{ | ||
|
|
There was a problem hiding this comment.
I assume generators for Security tests are going to be written as classes and they will be called in this method. Is that accurate? As example, if I want to test one of the generated endpoints for SQL injection vulnerabilities, where should I implement this test?
|
|
||
| bind(SecurityRest::class.java) | ||
| .asEagerSingleton() | ||
|
|
There was a problem hiding this comment.
bind(SecurityRest::class.java)
.asEagerSingleton()
These two lines appear 3 times in different classes. I guess code duplication is inevitable in this case.
There was a problem hiding this comment.
I did not see any issues other than the solution which contains all other tests being overridden by an empty set.
To test writing a simple security test, we can provide 'OR 1=1" as an input for a simple API and see the response. The response should not contain any database results.
No description provided.