minor fixes

omursahin · omursahin · commit dd856800e9cf · 2025-11-09T22:02:14.000+03:00
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/RestSecurityOracle.kt
@@ -225,7 +225,6 @@ object RestSecurityOracle {
     // Simple XSS payloads inspired by big-list-of-naughty-strings
     // https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt
     val XSS_PAYLOADS = listOf(
-        "javascript:alert('XSS')",
         "<img src=x onerror=alert('XSS')>",
         "<svg onload=alert('XSS')>",
         "<details open ontoggle=alert('XSS')>",
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/SecurityRest.kt
@@ -926,9 +926,10 @@ class SecurityRest {
                 var payloadInjected = false
 
                 // Attempt to inject payload into parameters
-                actionCopy.parameters.filter { it is BodyParam || it is QueryParam || it is PathParam }.forEach { param ->
+                actionCopy.parameters.forEach { param ->
 
                     // Skip if PathParam and payload contains "/" (would break URL structure)
+                    // TODO this in theory should be fine if properly escape entries in RestPath
                     if(param is PathParam && payload.contains("/")){
                         return@forEach
                     }
@@ -951,7 +952,7 @@ class SecurityRest {
                             }
                         } catch(e: Exception){
                             // Constraints might not allow the payload
-                            log.debug("Failed to inject XSS payload into ${gene.name}: ${e.message}")
+                            log.warn("Failed to inject XSS payload into ${gene.name}: ${e.message}")
                         }
                     }
                 }
@@ -1004,7 +1005,7 @@ class SecurityRest {
                                         }
                                     } catch(e: Exception){
                                         // Constraints might not allow the payload
-                                        log.debug("Failed to inject XSS payload into GET ${gene.name}: ${e.message}")
+                                        log.warn("Failed to inject XSS payload into GET ${gene.name}: ${e.message}")
                                     }
                                 }
                             }
@@ -1030,10 +1031,6 @@ class SecurityRest {
                 if(DefinedFaultCategory.XSS in faultsCategories){
 
                     val added = archive.addIfNeeded(evaluatedIndividual)
-                    evaluatedIndividual.individual.seeMainExecutableActions().forEach {
-                        println("$action - ${it.verb} ${it.path} -> ${it.auth.name} - ${added}")
-                    }
-
                     assert(added)
                     continue@mainloop
                 }

Original file line number	Diff line number	Diff line change
`@@ -926,9 +926,10 @@ class SecurityRest {`
`926`	`926`	`var payloadInjected = false`
`927`	`927`
`928`	`928`	`// Attempt to inject payload into parameters`
`929`		`- actionCopy.parameters.filter { it is BodyParam \|\| it is QueryParam \|\| it is PathParam }.forEach { param ->`
	`929`	`+ actionCopy.parameters.forEach { param ->`
`930`	`930`
`931`	`931`	`// Skip if PathParam and payload contains "/" (would break URL structure)`
	`932`	`+ // TODO this in theory should be fine if properly escape entries in RestPath`
`932`	`933`	`if(param is PathParam && payload.contains("/")){`
`933`	`934`	`return@forEach`
`934`	`935`	`}`
`@@ -951,7 +952,7 @@ class SecurityRest {`
`951`	`952`	`}`
`952`	`953`	`} catch(e: Exception){`
`953`	`954`	`// Constraints might not allow the payload`
`954`		`- log.debug("Failed to inject XSS payload into ${gene.name}: ${e.message}")`
	`955`	`+ log.warn("Failed to inject XSS payload into ${gene.name}: ${e.message}")`
`955`	`956`	`}`
`956`	`957`	`}`
`957`	`958`	`}`
`@@ -1004,7 +1005,7 @@ class SecurityRest {`
`1004`	`1005`	`}`
`1005`	`1006`	`} catch(e: Exception){`
`1006`	`1007`	`// Constraints might not allow the payload`
`1007`		`- log.debug("Failed to inject XSS payload into GET ${gene.name}: ${e.message}")`
	`1008`	`+ log.warn("Failed to inject XSS payload into GET ${gene.name}: ${e.message}")`
`1008`	`1009`	`}`
`1009`	`1010`	`}`
`1010`	`1011`	`}`
`@@ -1030,10 +1031,6 @@ class SecurityRest {`
`1030`	`1031`	`if(DefinedFaultCategory.XSS in faultsCategories){`
`1031`	`1032`
`1032`	`1033`	`val added = archive.addIfNeeded(evaluatedIndividual)`
`1033`		`- evaluatedIndividual.individual.seeMainExecutableActions().forEach {`
`1034`		`- println("$action - ${it.verb} ${it.path} -> ${it.auth.name} - ${added}")`
`1035`		`- }`
`1036`		`-`
`1037`	`1034`	`assert(added)`
`1038`	`1035`	`continue@mainloop`
`1039`	`1036`	`}`