Generated test didn't pass Spring Security's firewall. #2726

ancavar · 2023-12-19T19:24:10Z

To Reproduce

Add Spring Security to dependencies
Generate integration tests for controller's method which has @PathVariable parameter.

    @GetMapping("/{name}")
    public String demo(@PathVariable String name) {
        return name;
    }

Expected behavior

Test should not fail.

Actual behavior

/**
     * @utbot.classUnderTest {@link BookController}
     * @utbot.methodUnderTest {@link BookController#demo(String)}
     */
    @Test
    @DisplayName("demo: name = '\uFFEA#$\\\"'' (mutated from '#$\\\"'') -> throw RequestRejectedException")
    public void testDemoThrowsRREWithNonEmptyString() throws Exception {
        UriComponentsBuilder uriComponentsBuilder = fromPath("/{name}");
        Map map = new HashMap();
        map.put("name", "\uFFEA#$\\\"'");
        UriComponentsBuilder uriComponentsBuilder1 = uriComponentsBuilder.uriVariables(map);
        String string = uriComponentsBuilder1.toUriString();
        Object[] objectArray = {};
        MockHttpServletRequestBuilder mockHttpServletRequestBuilder = get(string, objectArray);
        
        /* This test fails because method [org.springframework.test.web.servlet.MockMvc.perform] produces [org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String "%25"]
            org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:369)
            org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:336)
            org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
            org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
            org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
            org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
            org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
            org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
            org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
            org.springframework.mock.web.MockFilterChain.doFilter(MockFilterChain.java:134)
            org.springframework.test.web.servlet.MockMvc.perform(MockMvc.java:183) */
        mockMvc.perform(mockHttpServletRequestBuilder);
    }
    ///endregion

The text was updated successfully, but these errors were encountered:

ancavar added the ctg-bug Issue is a bug label Dec 19, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Generated test didn't pass Spring Security's firewall. #2726

Generated test didn't pass Spring Security's firewall. #2726

ancavar commented Dec 19, 2023

Generated test didn't pass Spring Security's firewall. #2726

Generated test didn't pass Spring Security's firewall. #2726

Comments

ancavar commented Dec 19, 2023