[Bug]: Path parameters are not fuzzed for PUT/PATCH/POST methods

[ganeshnikam18]

Sample OpeAPI Definition:

paths: /test1/{orderId}: put: summary: Create a new resource parameters: - in: path name: orderId required: true schema: type: integer requestBody: description: Request payload required: true content: application/json: schema: $ref: '#/components/schemas/Order'
responses: '200': description: successful operation content: application/json: schema: $ref: '#/components/schemas/Order' '400': description: the server cannot or will not process the request due to something that is perceived to be a client error content: application/json: schema: $ref: '#/components/schemas/Order'
'405': description: Invalid input content: application/json: schema: $ref: '#/components/schemas/Order'

components: schemas: Order: type: object properties: orderId: type: integer petId: type: number quantity: type: integer shipDate: type: string status: type: string description: Order Status example: approved enum: - placed - approved - delivered complete: type: boolean

What is the issue ? When CATS tool fuzzes above API for HappyPath Fuzzer, it does not fuzz the 'orderId' path parameter. The url is create like this: https://apiserver.com/test1/{oderId}

The requestBody (Order object) is fuzzed properly

Expected Behaviour Ideally the 'orderId' path parameter should be fuzzed. Reference from Swagger Doc: https://swagger.io/docs/specification/describing-parameters/#path-parameters

Common Parameters for All Methods of a Path Parameters shared by all operations of a path can be defined on the path level instead of the operation level. Path-level parameters are inherited by all operations of that path. A typical use case are the GET/PUT/PATCH/DELETE operations that manipulate a resource accessed via a path parameter.

For GET and DELETE method, the path parameter is fuzzed properly