cleanup app

omursahin · omursahin · commit 3c7e5c5ddb1f · 2025-11-12T11:55:58.000+03:00
diff --git a/core-tests/e2e-tests/spring/spring-rest-bb/src/main/kotlin/com/foo/rest/examples/bb/cleanupmismatch/BBCleanUpMismatchApplication.kt b/core-tests/e2e-tests/spring/spring-rest-bb/src/main/kotlin/com/foo/rest/examples/bb/cleanupmismatch/BBCleanUpMismatchApplication.kt
@@ -27,12 +27,21 @@ open class BBCleanUpMismatchApplication {
         }
     }
 
+    private fun containsUnsafeUrlCharacters(str: String): Boolean {
+        // Characters that are problematic in URL path parameters
+        val unsafeChars = setOf('<', '>', '"', '\'', '&', '/', '\\', '{', '}', '|', '^', '[', ']', '`', ' ')
+        return str.any { it in unsafeChars || it.code < 32 || it.code > 126 }
+    }
 
     @PostMapping(path = ["/items"], consumes = [MediaType.APPLICATION_JSON_VALUE], produces = [MediaType.APPLICATION_JSON_VALUE])
     fun postCreate(@RequestBody dto: BBCleanUpDto) : ResponseEntity<BBCleanUpDto> {
 
         if(dto.id.isNullOrBlank() || dto.x == null) return ResponseEntity.status(400).build()
 
+        if(containsUnsafeUrlCharacters(dto.id!!)) {
+            return ResponseEntity.status(400).build()
+        }
+
         if(data.containsKey(dto.id)){
             return ResponseEntity.status(409).build()
         }
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt
@@ -228,8 +228,16 @@ object RestSecurityOracle {
         "<img src=x onerror=alert('XSS')>",
         "<svg onload=alert('XSS')>",
         "<details open ontoggle=alert('XSS')>",
-        "<script>alert('XSS')</script>",
-        "<iframe src='javascript:alert(\"XSS\")'></iframe>"
+        //TODO if payload contains "/" it causes StackOverflow:
+        //java.lang.StackOverflowError
+        //	at org.evomaster.core.search.StructuralElement.<init>(StructuralElement.kt:107)
+        //	at org.evomaster.core.search.StructuralElement.<init>(StructuralElement.kt:19)
+        //	at org.evomaster.core.search.gene.Gene.<init>(Gene.kt:58)
+        //	at org.evomaster.core.search.gene.root.SimpleGene.<init>(SimpleGene.kt:13)
+        //	at org.evomaster.core.search.gene.collection.EnumGene.<init>(EnumGene.kt:25)
+        //	at org.evomaster.core.search.gene.collection.EnumGene.copyContent(EnumGene.kt:111)
+//        "<script>alert('XSS')</script>",
+//        "<iframe src='javascript:alert(\"XSS\")'></iframe>"
     )
 
 

Original file line number	Diff line number	Diff line change
`@@ -27,12 +27,21 @@ open class BBCleanUpMismatchApplication {`
`27`	`27`	`}`
`28`	`28`	`}`
`29`	`29`
	`30`	`+ private fun containsUnsafeUrlCharacters(str: String): Boolean {`
	`31`	`+ // Characters that are problematic in URL path parameters`
	`32`	+ val unsafeChars = setOf('<', '>', '"', '\'', '&', '/', '\\', '{', '}', '\|', '^', '[', ']', '`', ' ')
	`33`	`+ return str.any { it in unsafeChars \|\| it.code < 32 \|\| it.code > 126 }`
	`34`	`+ }`
`30`	`35`
`31`	`36`	`@PostMapping(path = ["/items"], consumes = [MediaType.APPLICATION_JSON_VALUE], produces = [MediaType.APPLICATION_JSON_VALUE])`
`32`	`37`	`fun postCreate(@RequestBody dto: BBCleanUpDto) : ResponseEntity<BBCleanUpDto> {`
`33`	`38`
`34`	`39`	`if(dto.id.isNullOrBlank() \|\| dto.x == null) return ResponseEntity.status(400).build()`
`35`	`40`
	`41`	`+ if(containsUnsafeUrlCharacters(dto.id!!)) {`
	`42`	`+ return ResponseEntity.status(400).build()`
	`43`	`+ }`
	`44`	`+`
`36`	`45`	`if(data.containsKey(dto.id)){`
`37`	`46`	`return ResponseEntity.status(409).build()`
`38`	`47`	`}`