Merge branch 'master' into ssrf-path-param

Author: seran

core/src/main/kotlin/org/evomaster/core/EMConfig.kt

@@ -1,5 +1,7 @@
 package org.evomaster.core
 
+import com.webfuzzing.commons.faults.DefinedFaultCategory
+import com.webfuzzing.commons.faults.FaultCategory
 import joptsimple.*
 import org.evomaster.client.java.controller.api.ControllerConstants
 import org.evomaster.client.java.controller.api.dto.auth.AuthenticationDto
@@ -13,6 +15,7 @@ import org.evomaster.core.logging.LoggingUtil
 import org.evomaster.core.output.OutputFormat
 import org.evomaster.core.output.naming.NamingStrategy
 import org.evomaster.core.output.sorting.SortingStrategy
+import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
 import org.evomaster.core.search.impact.impactinfocollection.GeneMutationSelectionMethod
 import org.evomaster.core.search.service.IdMapper
 import org.slf4j.LoggerFactory
@@ -48,7 +51,7 @@ class EMConfig {
         private const val timeRegex = "(\\s*)((?=(\\S+))(\\d+h)?(\\d+m)?(\\d+s)?)(\\s*)"
 
         private const val headerRegex = "(.+:.+)|(^$)"
-
+        private const val faultCodeRegex = "(\\s*\\d{3}\\s*(,\\s*\\d{3}\\s*)*)?"
         private const val targetSeparator = ";"
         private const val targetNone = "\\b(None|NONE|none)\\b"
         private const val targetPrefix = "\\b(Class|CLASS|class|Line|LINE|line|Branch|BRANCH|branch|MethodReplacement|METHODREPLACEMENT|method[r|R]eplacement|Success_Call|SUCCESS_CALL|success_[c|C]all|Local|LOCAL|local|PotentialFault|POTENTIALFAULT|potential[f|F]ault)\\b"
@@ -2521,6 +2524,12 @@ class EMConfig {
     @Cfg("To apply SSRF detection as part of security testing.")
     var ssrf = false
 
+    @Regex(faultCodeRegex)
+    @Cfg("Disable oracles. Provide a comma-separated list of codes to disable. " +
+                "By default, all oracles are enabled."
+    )
+    var disabledOracleCodes = ""
+
     enum class VulnerableInputClassificationStrategy {
         /**
          * Uses the manual methods to select the vulnerable inputs.
@@ -2797,4 +2806,30 @@ class EMConfig {
     fun getTagFilters() = endpointTagFilter?.split(",")?.map { it.trim() } ?: listOf()
 
     fun isEnabledAIModelForResponseClassification() = aiModelForResponseClassification != AIResponseClassifierModel.NONE
+
+    private var disabledOracleCodesList: List<FaultCategory>? = null
+
+    fun getDisabledOracleCodesList(): List<FaultCategory> {
+        if (disabledOracleCodesList == null) {
+            disabledOracleCodesList = disabledOracleCodes
+                .split(",")
+                .mapNotNull { it.trim().takeIf { s -> s.isNotEmpty() } }
+                .map { str ->
+                    val code = str.toIntOrNull()
+                        ?: throw ConfigProblemException("Invalid number: $str")
+
+                    val allCategories = DefinedFaultCategory.values().asList() +
+                            ExperimentalFaultCategory.values()
+
+                    allCategories.firstOrNull { it.code == code }
+                        ?: throw ConfigProblemException(
+                            "Invalid fault code: $code" +
+                                    " All available codes are: \n" +
+                                    allCategories.joinToString("\n") { "${it.code} (${it.name})" }
+                        )
+                }
+        }
+        return disabledOracleCodesList!!
+    }
+
 }

core/src/main/kotlin/org/evomaster/core/Main.kt

@@ -4,6 +4,7 @@ import com.google.inject.Injector
 import com.google.inject.Key
 import com.google.inject.TypeLiteral
 import com.netflix.governator.guice.LifecycleInjector
+import com.webfuzzing.commons.faults.DefinedFaultCategory
 import org.evomaster.client.java.controller.api.dto.ControllerInfoDto
 import org.evomaster.client.java.instrumentation.shared.ObjectiveNaming
 import org.evomaster.core.AnsiColor.Companion.inBlue
@@ -419,13 +420,18 @@ class Main {
                     val securityRest = injector.getInstance(SecurityRest::class.java)
                     val solution = securityRest.applySecurityPhase()
 
-                    if (config.ssrf) {
+                    if (config.ssrf && DefinedFaultCategory.SSRF !in config.getDisabledOracleCodesList()) {
                         LoggingUtil.getInfoLogger().info("Starting to apply SSRF detection.")
 
                         val ssrfAnalyser = injector.getInstance(SSRFAnalyser::class.java)
                         ssrfAnalyser.apply()
                     } else {
-                        solution
+                        if(DefinedFaultCategory.SSRF in config.getDisabledOracleCodesList())
+                        {
+                            LoggingUtil.uniqueUserInfo("Skipping security test for SSRF detection as disabled in configuration")
+                        }
+
+                        return solution
                     }
                 }
 

core/src/main/kotlin/org/evomaster/core/problem/enterprise/DetectedFaultUtils.kt

@@ -3,6 +3,7 @@ package org.evomaster.core.problem.enterprise
 import com.webfuzzing.commons.faults.FaultCategory
 import org.evomaster.core.search.EvaluatedIndividual
 import org.evomaster.core.search.Solution
+import org.evomaster.core.search.action.ActionResult
 
 object DetectedFaultUtils {
 
@@ -37,4 +38,15 @@ object DetectedFaultUtils {
             .toSet()
     }
 
+    fun verifyExcludedCategories(ei: EvaluatedIndividual<*>, excludedCategories: List<FaultCategory>) : Boolean {
+
+        // if not an enterprise individual, then no need to check
+        if(ei.individual !is EnterpriseIndividual){
+            return true
+        }
+
+        val detected = getDetectedFaultCategories(ei)
+        return excludedCategories.intersect(detected).isEmpty()
+    }
+
 }

core/src/main/kotlin/org/evomaster/core/problem/graphql/service/GraphQLFitness.kt

@@ -1,7 +1,6 @@
 package org.evomaster.core.problem.graphql.service
 
 import com.webfuzzing.commons.faults.DefinedFaultCategory
-import com.webfuzzing.commons.faults.FaultCategory
 import org.evomaster.client.java.controller.api.dto.AdditionalInfoDto
 import org.evomaster.core.Lazy
 import org.evomaster.core.sql.SqlAction
@@ -223,7 +222,7 @@ open class GraphQLFitness : HttpWsFitness<GraphQLIndividual>() {
             fv.updateTarget(faultId, 1.0, indexOfAction)
         }
 
-        if (status == 500) {
+        if (status == 500 && DefinedFaultCategory.HTTP_STATUS_500 !in config.getDisabledOracleCodesList()) {
             Lazy.assert {
                 location5xx != null || config.blackBox
             }
@@ -238,6 +237,8 @@ open class GraphQLFitness : HttpWsFitness<GraphQLIndividual>() {
             val bugId = idMapper.handleLocalTarget(descriptiveId)
             fv.updateTarget(bugId, 1.0, indexOfAction)
 
+        } else if (DefinedFaultCategory.HTTP_STATUS_500 !in config.getDisabledOracleCodesList()) {
+            LoggingUtil.uniqueUserInfo("Found endpoints with status code 500. But those are not marked as fault,  as HTTP 500 fault detection has been disabled.")
         }
     }
 

core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt

@@ -2,7 +2,7 @@ package org.evomaster.core.problem.rest.service
 
 import com.google.inject.Inject
 import com.webfuzzing.commons.faults.DefinedFaultCategory
-import com.webfuzzing.commons.faults.FaultCategory
+import org.evomaster.core.EMConfig
 import javax.annotation.PostConstruct
 
 import org.evomaster.core.logging.LoggingUtil
@@ -64,6 +64,9 @@ class SecurityRest {
     @Inject
     private lateinit var builder: RestIndividualBuilder
 
+    @Inject
+    protected lateinit var config: EMConfig
+
     /**
      * All actions that can be defined from the OpenAPI schema
      */
@@ -250,18 +253,35 @@ class SecurityRest {
 
     private fun accessControlBasedOnRESTGuidelines() {
 
-        // quite a few rules here that can be defined
-        handleForbiddenOperationButOKOthers(HttpVerb.DELETE)
-        handleForbiddenOperationButOKOthers(HttpVerb.PUT)
-        handleForbiddenOperationButOKOthers(HttpVerb.PATCH)
+        if(config.getDisabledOracleCodesList().contains(DefinedFaultCategory.SECURITY_WRONG_AUTHORIZATION)){
+            LoggingUtil.uniqueUserInfo("Skipping security test for forbidden but ok others as disabled in configuration")
+        } else {
+            // quite a few rules here that can be defined
+            handleForbiddenOperationButOKOthers(HttpVerb.DELETE)
+            handleForbiddenOperationButOKOthers(HttpVerb.PUT)
+            handleForbiddenOperationButOKOthers(HttpVerb.PATCH)
+        }
 
-        // getting 404 instead of 403
-        handleExistenceLeakage()
+        if(config.getDisabledOracleCodesList().contains(DefinedFaultCategory.SECURITY_EXISTENCE_LEAKAGE)){
+            LoggingUtil.uniqueUserInfo("Skipping security test for existence leakage as disabled in configuration")
+        } else {
+            // getting 404 instead of 403
+            handleExistenceLeakage()
+        }
 
-        //authenticated, but wrongly getting 401 (eg instead of 403)
-        handleNotRecognizedAuthenticated()
+        if(config.getDisabledOracleCodesList().contains(DefinedFaultCategory.SECURITY_NOT_RECOGNIZED_AUTHENTICATED)){
+            LoggingUtil.uniqueUserInfo("Skipping security test for not recognized authenticated as disabled in configuration")
+        } else {
+            //authenticated, but wrongly getting 401 (eg instead of 403)
+            handleNotRecognizedAuthenticated()
+        }
+
+        if(config.getDisabledOracleCodesList().contains(ExperimentalFaultCategory.SECURITY_FORGOTTEN_AUTHENTICATION)) {
+            LoggingUtil.uniqueUserInfo("Skipping experimental security test for forgotten authentication as disabled in configuration")
+        } else {
+            handleForgottenAuthentication()
+        }
 
-        handleForgottenAuthentication()
         //TODO other rules. See FaultCategory
         //etc.
     }

core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt

@@ -543,7 +543,7 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
             fv.updateTarget(faultId, 1.0, indexOfAction)
         }
 
-        if (status == 500) {
+        if (status == 500 && DefinedFaultCategory.HTTP_STATUS_500 !in config.getDisabledOracleCodesList()) {
             /*
                 500 codes "might" be bugs. To distinguish between different bugs
                 that crash the same endpoint, we need to know what was the last
@@ -560,6 +560,8 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
             fv.updateTarget(bugId, 1.0, indexOfAction)
 
             result.addFault(DetectedFault(DefinedFaultCategory.HTTP_STATUS_500, name,location5xx))
+        } else if (DefinedFaultCategory.HTTP_STATUS_500 !in config.getDisabledOracleCodesList()) {
+            LoggingUtil.uniqueUserInfo("Found endpoints with status code 500. But those are not marked as fault,  as HTTP 500 fault detection has been disabled.")
         }
     }
 
@@ -729,15 +731,19 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
             }
         }
 
-        handleSchemaOracles(a, rcr, fv)
+        if(DefinedFaultCategory.SCHEMA_INVALID_RESPONSE !in config.getDisabledOracleCodesList()){
+            handleSchemaOracles(a, rcr, fv)
+        } else {
+            LoggingUtil.uniqueUserInfo("Schema oracles disabled via configuration")
+        }
 
         val handledSavedLocation = handleSaveLocation(a, rcr, chainState)
 
         if(config.isEnabledAIModelForResponseClassification()) {
             responseClassifier.updateModel(a, rcr)
         }
 
-        if (config.security && config.ssrf) {
+        if (config.security && config.ssrf && DefinedFaultCategory.SSRF !in config.getDisabledOracleCodesList()) {
             if (ssrfAnalyser.anyCallsMadeToHTTPVerifier(a)) {
                 rcr.setVulnerableForSSRF(true)
             }
@@ -1116,7 +1122,7 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
             analyzeSecurityProperties(individual,actionResults,fv)
         }
 
-        if (config.ssrf) {
+        if (config.ssrf && DefinedFaultCategory.SSRF !in config.getDisabledOracleCodesList()) {
             handleSsrfFaults(individual, actionResults, fv)
         }
 

core/src/main/kotlin/org/evomaster/core/search/service/FitnessFunction.kt

@@ -1,7 +1,10 @@
 package org.evomaster.core.search.service
 
 import com.google.inject.Inject
+import com.webfuzzing.commons.faults.FaultCategory
 import org.evomaster.core.EMConfig
+import org.evomaster.core.Lazy
+import org.evomaster.core.problem.enterprise.DetectedFaultUtils
 import org.evomaster.core.search.EvaluatedIndividual
 import org.evomaster.core.search.Individual
 import org.evomaster.core.search.service.monitor.SearchProcessMonitor
@@ -97,6 +100,13 @@ abstract class FitnessFunction<T>  where T : Individual {
 //            ei?.updateInitImpactAfterDoCalculateCoverage(calculatedBefore, null, config)
 //        }
 
+        // check that excluded fault categories are not present
+        Lazy.assert{
+            DetectedFaultUtils.verifyExcludedCategories(ei as EvaluatedIndividual<Individual>,
+                config.getDisabledOracleCodesList() as List<FaultCategory>
+            )
+        }
+
         return ei
     }
 

docs/options.md

@@ -85,6 +85,7 @@ There are 3 types of options:
 |`customNaming`| __Boolean__. Enable custom naming and sorting criteria. *Default value*: `true`.|
 |`d`| __Double__. When weight-based mutation rate is enabled, specify a percentage of calculating mutation rate based on a number of candidate genes to mutate. For instance, d = 1.0 means that the mutation rate fully depends on a number of candidate genes to mutate, and d = 0.0 means that the mutation rate fully depends on weights of candidates genes to mutate. *Constraints*: `probability 0.0-1.0`. *Default value*: `0.8`.|
 |`dependencyFile`| __String__. Specify a file that saves derived dependencies. *DEBUG option*. *Default value*: `dependencies.csv`.|
+|`disabledOracleCodes`| __String__. Disable oracles. Provide a comma-separated list of codes to disable. By default, all oracles are enabled. *Constraints*: `regex (\s*\d{3}\s*(,\s*\d{3}\s*)*)?`. *Default value*: `""`.|
 |`doCollectImpact`| __Boolean__. Specify whether to collect impact info that provides an option to enable of collecting impact info when archive-based gene selection is disable. *DEBUG option*. *Default value*: `false`.|
 |`doesApplyNameMatching`| __Boolean__. Whether to apply text/name analysis to derive relationships between name entities, e.g., a resource identifier with a name of table. *Default value*: `true`.|
 |`e_u1f984`| __Boolean__. QWN0aXZhdGUgdGhlIFVuaWNvcm4gTW9kZQ==. *Default value*: `false`.|