openapi-fuzzer
openapi-fuzzer copied to clipboard
Published
20 hours ago •
matusf
matusf
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value'
Hello! I tried to use this project to fuzz my API and it crashed. Here is the backtrace:
$ RUST_BACKTRACE=1 openapi-fuzzer -s spec-api.yaml -u https://test.local/api/v1
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', /home/user/.cargo/registry/src/github.com-1ecc6299db9ec823/openapi_utils-0.2.2/src/dereferer.rs:82:56
stack backtrace:
0: rust_begin_unwind
at /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/std/src/panicking.rs:493:5
1: core::panicking::panic_fmt
at /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/panicking.rs:92:14
2: core::panicking::panic
at /rustc/2fd73fabe469357a12c2c974c140f67e7cdd76d0/library/core/src/panicking.rs:50:5
3: openapi_utils::dereferer::deref_everything_in_path
4: <openapiv3::openapi::OpenAPI as openapi_utils::dereferer::SpecExt>::deref_all
5: openapi_fuzzer::main
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
Hi, thanks for the report. Could you please send the specification? I'll not be able to debug it without it.
I see the same crash with a simple login endpoint description
---
openapi: 3.0.3
info:
title: OpenAPI Fuzzer reproducer
version: 1.0.0
paths:
/api/authentication/login:
post:
summary: Login to app
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/LoginRequest'
responses:
"200":
description: Login successful
headers:
Authorization:
description: The bearer token to be used for all requests where authentication
is necessary
required: true
style: simple
schema:
type: string
content:
application/json: {}
"400":
description: Authentication failed
content:
application/json: {}
/api/authentication/logout:
post:
responses:
"201":
description: logged out
/api/authentication/register:
post:
requestBody:
content:
application/json:
schema:
$ref: '#/components/schemas/RegistrationRequest'
responses:
"200":
description: OK
components:
schemas:
LoginRequest:
description: POJO that represents the contents of a login request.
required:
- email
- password
type: object
properties:
email:
minLength: 1
type: string
nullable: false
password:
minLength: 1
type: string
nullable: false
RegistrationRequest:
description: POJO that represents the contents of a registration request.
required:
- email
- firstName
- lastName
- password
type: object
properties:
email:
minLength: 1
type: string
nullable: false
firstName:
minLength: 1
type: string
nullable: false
lastName:
minLength: 1
type: string
nullable: false
password:
minLength: 1
type: string
nullable: false
I had the same error and I've solved the problem by excluding response body content type from swagger, leaving status_code and description only. For example, in case of @theobisproject it would be this way:
responses:
"200":
description: Login successful
headers:
Authorization:
description: The bearer token to be used for all requests where authentication
is necessary
required: true
style: simple
schema:
type: string
content: {}
"400":
description: Authentication failed
content: {}
