fixed wrong SUT in test

WebFuzzing · Oct 30, 2024 · 784ea94 · 784ea94
1 parent f02ad8f
commit 784ea94
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/...ar/examples/it/spring/securityforbiddenoperation/SecurityForbiddenOperationApplication.kt b/...ar/examples/it/spring/securityforbiddenoperation/SecurityForbiddenOperationApplication.kt
@@ -6,6 +6,7 @@ import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfi
 import org.springframework.http.ResponseEntity
 import org.springframework.web.bind.annotation.*
 import java.net.URI
+import java.util.concurrent.ConcurrentHashMap
 
 
 @SpringBootApplication(exclude = [SecurityAutoConfiguration::class])
@@ -23,15 +24,19 @@ open class SecurityForbiddenOperationApplication {
         var disabledCheckPut = false
         var disabledCheckPatch = false
 
-        private val data = mutableMapOf<Int, String>()
+        private val data = ConcurrentHashMap<Int,String>()
         private var counter = 0
 
+        fun cleanState(){
+            counter = 0
+            data.clear()
+        }
+
         fun reset(){
             disabledCheckDelete = false
             disabledCheckPut = false
             disabledCheckPatch = false
-            counter = 0
-            data.clear()
+            cleanState()
         }
     }
 

diff --git a/...bar/examples/it/spring/securityforbiddenoperation/SecurityForbiddenOperationController.kt b/...bar/examples/it/spring/securityforbiddenoperation/SecurityForbiddenOperationController.kt
@@ -15,4 +15,8 @@ class SecurityForbiddenOperationController : SpringController(SecurityForbiddenO
             AuthUtils.getForAuthorizationHeader("BAR","BAR"),
         )
     }
+
+    override fun resetStateOfSUT() {
+        SecurityForbiddenOperationApplication.cleanState()
+    }
 }
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
@@ -557,10 +557,17 @@ class SecurityRest {
             //anyway, let's verify indeed second last action if a 403 target verb. otherwise, it is a problem
             val ema = evaluatedIndividual.evaluatedMainActions()
             val secondLast = ema[ema.size - 2]
-            if (!(secondLast.action is RestCallAction && secondLast.action.verb == verb
-                        && secondLast.result is RestCallResult && secondLast.result.getStatusCode() == 403)
-            ) {
-                log.warn("Issue with constructing evaluated individual. Expected a 403 $verb, but got: $secondLast")
+            val secondLastAction = secondLast.action
+            val secondLastResult = secondLast.result
+            if(secondLastAction !is RestCallAction || secondLastResult !is RestCallResult) {
+                //shouldn't really ever happen...
+                //TODO should refactor code to enforce generics in subclasses
+                log.warn("Wrong type: non-REST action/result")
+                return@forEach
+            }
+            if (secondLastAction.verb != verb ||  secondLastResult.getStatusCode() != 403) {
+                log.warn("Issue with constructing evaluated individual. Expected a 403 $verb," +
+                        " but got: ${secondLastResult.getStatusCode()} ${secondLastAction.verb}")
                 return@forEach
             }