reset state

omursahin · omursahin · commit d696a78bf46c · 2025-11-23T11:53:08.000+03:00
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/main/kotlin/com/foo/rest/examples/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONApplication.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/main/kotlin/com/foo/rest/examples/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONApplication.kt
@@ -72,9 +72,15 @@ open class XSSStoredJSONApplication {
         private val guestbookEntries = mutableListOf<Pair<String, String>>() // Query parameter
     }
 
+    open fun resetDB() {
+        comments.clear()
+        userBios.clear()
+        guestbookEntries.clear()
+    }
+
     // ==== BODY PARAMETER - Comment System ====
 
-    @PostMapping(path = ["/comment"], produces = [MediaType.APPLICATION_JSON_VALUE])
+    @PostMapping(path = ["/comments"], produces = [MediaType.APPLICATION_JSON_VALUE])
     open fun storeComment(@RequestBody commentDto: CommentDto): ResponseEntity<CommentResponseDto> {
         // VULNERABLE: Stores user input without sanitization
         val comment = commentDto.comment ?: "No comment"
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/com/foo/rest/examples/spring/openapi/v3/security/xss/stored/html/XSSStoredController.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/com/foo/rest/examples/spring/openapi/v3/security/xss/stored/html/XSSStoredController.kt
@@ -1,5 +1,11 @@
 package com.foo.rest.examples.spring.openapi.v3.security.xss.stored.html
 
 import com.foo.rest.examples.spring.openapi.v3.SpringController
+import com.foo.rest.examples.spring.openapi.v3.security.xss.stored.json.XSSStoredJSONApplication
 
-class XSSStoredController: SpringController(XSSStoredApplication::class.java)
+class XSSStoredController: SpringController(XSSStoredApplication::class.java){
+    override fun resetStateOfSUT() {
+        val app = ctx!!.getBean(XSSStoredJSONApplication::class.java)
+        app.resetDB()
+    }
+}
diff --git a/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/com/foo/rest/examples/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONController.kt b/core-tests/e2e-tests/spring/spring-rest-openapi-v3/src/test/kotlin/com/foo/rest/examples/spring/openapi/v3/security/xss/stored/json/XSSStoredJSONController.kt
@@ -2,4 +2,9 @@ package com.foo.rest.examples.spring.openapi.v3.security.xss.stored.json
 
 import com.foo.rest.examples.spring.openapi.v3.SpringController
 
-class XSSStoredJSONController: SpringController(XSSStoredJSONApplication::class.java)
+class XSSStoredJSONController: SpringController(XSSStoredJSONApplication::class.java){
+    override fun resetStateOfSUT() {
+        val app = ctx!!.getBean(XSSStoredJSONApplication::class.java)
+        app.resetDB()
+    }
+}
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt
@@ -228,14 +228,6 @@ object RestSecurityOracle {
         "<img src=x onerror=alert('XSS')>",
         "<svg onload=alert('XSS')>",
         "<details open ontoggle=alert('XSS')>",
-        //TODO if payload contains "/" it causes StackOverflow:
-        //java.lang.StackOverflowError
-        //	at org.evomaster.core.search.StructuralElement.<init>(StructuralElement.kt:107)
-        //	at org.evomaster.core.search.StructuralElement.<init>(StructuralElement.kt:19)
-        //	at org.evomaster.core.search.gene.Gene.<init>(Gene.kt:58)
-        //	at org.evomaster.core.search.gene.root.SimpleGene.<init>(SimpleGene.kt:13)
-        //	at org.evomaster.core.search.gene.collection.EnumGene.<init>(EnumGene.kt:25)
-        //	at org.evomaster.core.search.gene.collection.EnumGene.copyContent(EnumGene.kt:111)
         "<script>alert('XSS')</script>",
         "<iframe src='javascript:alert(\"XSS\")'></iframe>"
     )
