From 475ff78a1e32470c543599c3b0abe8747c629fd5 Mon Sep 17 00:00:00 2001 From: evilchili Date: Sat, 19 Nov 2022 16:58:58 -0800 Subject: [PATCH] Adding fuzz testing of auth --- .gitignore | 4 + poetry.lock | 234 ------------------------------------------ pyproject.toml | 1 + test/test_ondemand.py | 26 ++++- 4 files changed, 27 insertions(+), 238 deletions(-) delete mode 100644 poetry.lock diff --git a/.gitignore b/.gitignore index b6e4761..cd1ce15 100644 --- a/.gitignore +++ b/.gitignore @@ -127,3 +127,7 @@ dmypy.json # Pyre type checker .pyre/ + +# poetry local lock +poetry.lock + diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index 22e7c01..0000000 --- a/poetry.lock +++ /dev/null @@ -1,234 +0,0 @@ -[[package]] -name = "attrs" -version = "22.1.0" -description = "Classes Without Boilerplate" -category = "main" -optional = false -python-versions = ">=3.5" - -[package.extras] -dev = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "mypy (>=0.900,!=0.940)", "pytest-mypy-plugins", "zope.interface", "furo", "sphinx", "sphinx-notfound-page", "pre-commit", "cloudpickle"] -docs = ["furo", "sphinx", "zope.interface", "sphinx-notfound-page"] -tests = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "mypy (>=0.900,!=0.940)", "pytest-mypy-plugins", "zope.interface", "cloudpickle"] -tests_no_zope = ["coverage[toml] (>=5.0.2)", "hypothesis", "pympler", "pytest (>=4.3.0)", "mypy (>=0.900,!=0.940)", "pytest-mypy-plugins", "cloudpickle"] - -[[package]] -name = "boddle" -version = "0.2.9" -description = "A unit testing tool for Python's bottle library." -category = "dev" -optional = false -python-versions = "*" - -[package.dependencies] -bottle = "*" - -[[package]] -name = "bottle" -version = "0.12.23" -description = "Fast and simple WSGI-framework for small web-applications." -category = "main" -optional = false -python-versions = "*" - -[[package]] -name = "click" -version = "8.1.3" -description = "Composable command line interface toolkit" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -colorama = {version = "*", markers = "platform_system == \"Windows\""} - -[[package]] -name = "colorama" -version = "0.4.6" -description = "Cross-platform colored terminal text." -category = "main" -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" - -[[package]] -name = "exceptiongroup" -version = "1.0.4" -description = "Backport of PEP 654 (exception groups)" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -test = ["pytest (>=6)"] - -[[package]] -name = "iniconfig" -version = "1.1.1" -description = "iniconfig: brain-dead simple config-ini parsing" -category = "main" -optional = false -python-versions = "*" - -[[package]] -name = "packaging" -version = "21.3" -description = "Core utilities for Python packages" -category = "main" -optional = false -python-versions = ">=3.6" - -[package.dependencies] -pyparsing = ">=2.0.2,<3.0.5 || >3.0.5" - -[[package]] -name = "paste" -version = "3.5.2" -description = "Tools for using a Web Server Gateway Interface stack" -category = "main" -optional = false -python-versions = "*" - -[package.dependencies] -six = ">=1.4.0" - -[package.extras] -flup = ["flup"] -openid = ["python-openid"] - -[[package]] -name = "pluggy" -version = "1.0.0" -description = "plugin and hook calling mechanisms for python" -category = "main" -optional = false -python-versions = ">=3.6" - -[package.extras] -testing = ["pytest-benchmark", "pytest"] -dev = ["tox", "pre-commit"] - -[[package]] -name = "pyparsing" -version = "3.0.9" -description = "pyparsing module - Classes and methods to define and execute parsing grammars" -category = "main" -optional = false -python-versions = ">=3.6.8" - -[package.extras] -diagrams = ["railroad-diagrams", "jinja2"] - -[[package]] -name = "pytest" -version = "7.2.0" -description = "pytest: simple powerful testing with Python" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -attrs = ">=19.2.0" -colorama = {version = "*", markers = "sys_platform == \"win32\""} -exceptiongroup = {version = ">=1.0.0rc8", markers = "python_version < \"3.11\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=0.12,<2.0" -tomli = {version = ">=1.0.0", markers = "python_version < \"3.11\""} - -[package.extras] -testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "pygments (>=2.7.2)", "requests", "xmlschema"] - -[[package]] -name = "pytest-asyncio" -version = "0.20.2" -description = "Pytest support for asyncio" -category = "dev" -optional = false -python-versions = ">=3.7" - -[package.dependencies] -pytest = ">=6.1.0" - -[package.extras] -testing = ["coverage (>=6.2)", "hypothesis (>=5.7.1)", "flaky (>=3.5.0)", "mypy (>=0.931)", "pytest-trio (>=0.7.0)"] - -[[package]] -name = "pytest-dotenv" -version = "0.5.2" -description = "A py.test plugin that parses environment files before running tests" -category = "main" -optional = false -python-versions = "*" - -[package.dependencies] -pytest = ">=5.0.0" -python-dotenv = ">=0.9.1" - -[[package]] -name = "python-dotenv" -version = "0.21.0" -description = "Read key-value pairs from a .env file and set them as environment variables" -category = "main" -optional = false -python-versions = ">=3.7" - -[package.extras] -cli = ["click (>=5.0)"] - -[[package]] -name = "six" -version = "1.16.0" -description = "Python 2 and 3 compatibility utilities" -category = "main" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" - -[[package]] -name = "tomli" -version = "2.0.1" -description = "A lil' TOML parser" -category = "main" -optional = false -python-versions = ">=3.7" - -[[package]] -name = "typer" -version = "0.7.0" -description = "Typer, build great CLIs. Easy to code. Based on Python type hints." -category = "main" -optional = false -python-versions = ">=3.6" - -[package.dependencies] -click = ">=7.1.1,<9.0.0" - -[package.extras] -all = ["colorama (>=0.4.3,<0.5.0)", "shellingham (>=1.3.0,<2.0.0)", "rich (>=10.11.0,<13.0.0)"] -dev = ["autoflake (>=1.3.1,<2.0.0)", "flake8 (>=3.8.3,<4.0.0)", "pre-commit (>=2.17.0,<3.0.0)"] -doc = ["mkdocs (>=1.1.2,<2.0.0)", "mkdocs-material (>=8.1.4,<9.0.0)", "mdx-include (>=1.4.1,<2.0.0)", "pillow (>=9.3.0,<10.0.0)", "cairosvg (>=2.5.2,<3.0.0)"] -test = ["shellingham (>=1.3.0,<2.0.0)", "pytest (>=4.4.0,<8.0.0)", "pytest-cov (>=2.10.0,<5.0.0)", "coverage (>=6.2,<7.0)", "pytest-xdist (>=1.32.0,<4.0.0)", "pytest-sugar (>=0.9.4,<0.10.0)", "mypy (==0.910)", "black (>=22.3.0,<23.0.0)", "isort (>=5.0.6,<6.0.0)", "rich (>=10.11.0,<13.0.0)"] - -[metadata] -lock-version = "1.1" -python-versions = "^3.10" -content-hash = "88c9ad77d7dc2477ea033e38852a188c7b6cfdf2b75a28f6e2553ae6652c9e9e" - -[metadata.files] -attrs = [] -boddle = [] -bottle = [] -click = [] -colorama = [] -exceptiongroup = [] -iniconfig = [] -packaging = [] -paste = [] -pluggy = [] -pyparsing = [] -pytest = [] -pytest-asyncio = [] -pytest-dotenv = [] -python-dotenv = [] -six = [] -tomli = [] -typer = [] diff --git a/pyproject.toml b/pyproject.toml index a6ca91d..80771c7 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -20,6 +20,7 @@ pytest = "^7.2.0" pytest-asyncio = "^0.20.2" pytest-dotenv = "^0.5.2" boddle = "^0.2.9" +atheris = "^2.1.1" [build-system] requires = ["poetry-core>=1.0.0"] diff --git a/test/test_ondemand.py b/test/test_ondemand.py index a5d8afd..51fc634 100644 --- a/test/test_ondemand.py +++ b/test/test_ondemand.py @@ -1,13 +1,31 @@ -from boddle import boddle -from groove import ondemand import os +import sys + +import atheris +from boddle import boddle + +from groove import ondemand -def test_ondemand_server(): +def test_server(): with boddle(): assert ondemand.index() == 'Groovy.' -def test_ondemand_auth(): +def test_auth_with_valid_credentials(): with boddle(auth=(os.environ.get('USERNAME'), os.environ.get('PASSWORD'))): assert ondemand.admin() == 'Authenticated. Groovy.' + + +def test_auth_random_input(): + + def auth(fuzzed_input): + with boddle(auth=(fuzzed_input, fuzzed_input)): + result = ondemand.admin() + assert result.body == 'Access denied' + + atheris.Setup([sys.argv[0], "-atheris_runs=100000"], auth) + try: + atheris.Fuzz() + except SystemExit: + pass