Skip to content

Latest commit

 

History

History
307 lines (218 loc) · 13.6 KB

restrictions.rst

File metadata and controls

307 lines (218 loc) · 13.6 KB
Raw

Restrictions

OData services developed in SAP do not support some functions provided by the OData protocol (for example, day(), substring(), length()). Also, they may not implement GET_ENTITYSET methods for all entities. By using the restrictions, one can easily decrease a number of queries that are worthless.

ODfuzz generates HTTP requests based on definitions provided by a metadata document. However, in some cases we may want to restrict a testing of a particular entity set. Restrictions allow users to define rules which forbid a usage of some entities, functions, or properties in queries. The restrictions are defined in the following YAML format:

[ Exclude | Include ]:
    [ $FORBID$ ]:
        - $filter
        - $orderby
        ...
    [ $filter | $orderby | $skip | $top | $expand | ... ]:
        EntitySet name:
            - Property name
            - Property name
            ...
        [ $ENTITY_SET$ | $ENTITY$ | $ENTITY_ASSOC$ | $F_ALL$ | $P_ALL$ | ... ]:
            - [ Function name | EntitySet name | Property name ]
            ...
    ...

In the example, there is a special construction which starts and ends with the character "[", or "]" respectively. It represents a list of restriction's keywords, separated by "|", which can be used in the corresponding context. Only one of these keywords can be used within the line. When we declare restrictions, we omit "[", "]", and "|" characters, because they are used just for a better illustration.

Sample restriction files can be found in the restrictions folder. Bear in mind that some restrictions are related to the previous version of ODfuzz. For example, the keyword "$E_ALL$" is deprecated, therefore, the keyword "$ENTITY_SET$" should be used instead.

Restriction Types

Restrictions are used to embed data in queries or to suppress generation of query's fractions which are not limited in the metadata document by default. In this section, we provide an overview of restriction types and their basic use cases.

EXCLUDE Restrictions

  • $ENTITY_SET$. The fuzzer will not generate HTTP requests for all method types - GET, POST, DELETE, PUT and MERGE for the specified list of entity sets. For example, when we define the following restriction, ODfuzz will skip a generation of query options for the entity set Products

URI:

https://services.odata.org/V2/Northwind/Northwind.svc/Products?$filter=ProductID%20lt%202

Exclude:
    $ENTITY_SET$:
        Products:
             Properties:
             Nav_Properties:
  • $ENTITY_SET Propertries$. The fuzzer will not generate HTTP requests for method types - POST, PUT and MERGE for the specified list of properties of a specific entity set. This will remove the following property from the body of the request. For example, when we define the following restriction, ODfuzz will skip a generation of query options for the property ProductID for entity set Products

URI:

https://services.odata.org/V2/Northwind/Northwind.svc/Products?sap-client=500

Body:

{"ProductName": "Q!au00bfbgu2026u00b5|u00ceu00c9qju00ebu00b7u00c1{SC@u00e0u2026VEsu2019iu2026(u00b5", "SupplierID": 1593960140, "CategoryID": -1745367456, "QuantityPerUnit": "lMu2013u00ceou00a9u00f7u00b4u00f8u00e4u00e0u00bc<", "UnitPrice": "203518542564.221m", "UnitsInStock": 19375, "UnitsOnOrder": -12443, "ReorderLevel": 875, "Discontinued": true}

Exclude:
    $ENTITY_SET$:
        Products:
             Properties:
                 - ProductID
             Nav_Properties:

Exclude Properties from URI Using Exclusion List

Exclusion List is a feature which allows you to exclude/restrict certain entities and their respective properties while generating URL payloads for entity_sets parsed by pyodata from the metadata.xml file

While using this Exclusion_List we can mention certain properties for a particular EntitySet which we do not want while generating the payloads.

Eaxmple Json:

{
    "$ENTITY_SET$": {
        "Products": {
             "Properties":["ProductID", "ProductName"],
             "Nav_Properties":["Category"]
        }
    }
}

Two functions use these properties to generate the payloads and include them in the URI:

  1. $filter
  2. $orderby

Implemented ExclusionList feature in two of the classes which uses $orderby and $filter functions to generate the payloads for the URI:

  1. FilterQuery: Class to generate queries for $filter function
  2. OrderbyQuery: Class to generate queries for $orderby function

Both the classes randomly choose properties from the list of all the available properties of that particular entity set to generate the payloads.

After the properties are matched from the properties mentioned in the Exclusion List, they are removed from the List of properties used for generating queries for both the functions.

The fuzzer will not generate HTTP requests for method types - GET, DELETE, POST, PUT and MERGE for the specified list of properties of a specific entity set. This will remove the following property from the URI of the request, but make sure not to remove any Key_Properties from the URI. This will only work on $filter and $orderby Query_Options. For example, when we define the following restriction, ODfuzz will exclude the property ProductID from $filter and $orderby Query_Options, making sure that the Key_Properties are not restricted from the URI

Eaxmple Restricted URI:

https://services.odata.org/V2/Northwind/Northwind.svc/Products(ProductID=-386222977)?$inlinecount=allpages&$filter=OrderID le 1672133452&$top=459&search=%C3%8C%C3%AA%C2%A5%21%C3%81%604%C3%AEOe_%C3%B1%C5%93%24%C3%97%C2%B8%2B%29 OR U%C3%A7T%C2%90%7B%C3%99nN%C2%8D%C2%A3N4 OR %21%C3%BBxVn%C2%81 OR %E2%80%9C%C3%89&$skip=141395401&$orderby=Quantity&$expand=Product/Category,Order/Order_Details&sap-client=500&$format=json

Similar Code-Block In Yaml:

Exclude:
    $ENTITY_SET$:
        Products:
             Properties:
                 - ProductID
                 - ProductName
             Nav_Properties:
                 - Category
  • $ENTITY_SET Navigation Properties$. The fuzzer will not generate HTTP requests for all method types - GET, POST, DELETE, PUT and MERGE for the specified list of navigation properties of a specific entity set. This will remove the generation of URI for following navigation property. For example, when we define the following restriction, ODfuzz will skip a generation of query options for the navigation property Categories for entity set Products

URI:

https://services.odata.org/V2/Northwind/Northwind.svc/Categories(CategoryID=950596305)/Products?sap-client=500

Exclude:
    $ENTITY_SET$:
        Products:
             Properties:
             Nav_Properties:
                 - Category
Exclude:
    $filter:
        $ENTITY_SET$:
            - Products
  • $ENTITY$. The fuzzer will not generate HTTP GET requests for a specified list of entities. ODfuzz will skip generation of requests, which contain the '$filter' query option and target the single entity Product, when the restrictions are defined as follows (e.g. https://services.odata.org/V2/Northwind/Northwind.svc/Products(1)):
Exclude:
    $filter:
        $ENTITY$:
            - Products
Exclude:
    $filter:
        $ENTITY_ASSOC$:
            - Order_Details
Exclude:
    $filter:
        $F_ALL$:
            - indexof
Exclude:
    $filter:
        $P_ALL$:
            - SupplierID
Exclude:
    $FORBID$:
        - $filter
        - $orderby
  • $NAV_PROP$. The fuzzer will generate the query option '$expand' without declared navigation properties. This restriction may be redundant with the existing restriction $P_ALL$ at the first sight. However, navigation properties are not equivalent to ordinary properties, and cannot be treated in the same way. ODfuzz will skip generation of the query option '$expand' which contains the navigation property Supplier (e.i. https://services.odata.org/V2/Northwind/Northwind.svc/Products?$expand=Supplier):
Exclude:
    $expand:
        $NAV_PROP$:
            - Supplier

Basic example

The following is set of minimal restrictions, based on what functions are not supported by SAP ODATA Gateway:

file: /restrictions/basic.yaml

Exclude:
    $filter:
        $F_ALL$:
            - concat
            - length
            - tolower
            - toupper
            - trim
            - replace
            - indexof
            - substring
            - day
            - hour
            - minute
            - month
            - second
            - year
            - round
            - floor

Complex example (FI_CORRESPONDENCE_V2_SRV)

Exclude:
    $FORBID$:
        - search
        - $top
        - $skip
        - $inlinecount
        - $orderby
    $expand:
        $NAV_PROP$:
            - XML
            - PDF
            - Print
            - MessageSet
    $filter:
        C_CorrespondenceCompanyCodeVH:
            - CompanyCodeName
        $F_ALL$:
            - concat
            - trim
            - substring
            - toupper
            - length
            - tolower
            - replace
            - indexof
        $ENTITY_SET$:
            - DefaultValueSet
            - C_CorrespondenceCompanyCodeVH
            - C_CorrespondenceCustomerVH
            - C_CorrespondenceSupplierVH
            - C_Cpbupaemailvh
        $ENTITY_ASSOC$:
            - CorrespondenceTypeSet
            - SupportedChannelSet

INCLUDE restrictions - e.g. PRIMARY KEYs for records

Include:
    $VALUE$:
        Products:
            UnitPrice:
                - "18.0000"
                - "19.0000"

Declared values are not mutable. The mutator picks a random value from the list and replaces the old value with it.

Values have to be enclosed with double quotation marks due to fact that they are simply copied to the fuzzer without any modifications or type redefinitions. All data types are represented as strings internally. Here we provide some examples of declarations for commonly used data types:

Edm.String  : "'Value'"
Edm.Int32   : "123"
Edm.Boolean : "true"
Edm.Decimal : "12.00"
Include:
    $DRAFT$:
        Products:
            - Discontinued