diff --git a/postman_collections/modified_postman_openapi.json b/postman_collections/modified_postman_openapi.json new file mode 100644 index 00000000..45518531 --- /dev/null +++ b/postman_collections/modified_postman_openapi.json @@ -0,0 +1,683 @@ +{ + "item": [ + { + "id": "24b3dc94-bf6d-4841-b9ff-164baa9e4480", + "name": "products", + "item": [ + { + "id": "21e01db8-cf3b-45ff-a645-cbed3b466fd1", + "name": "Get All Products", + "request": { + "name": "Get All Products", + "description": { + "content": "It gives you all products", + "type": "text/plain" + }, + "url": { + "path": [ + "products" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [] + }, + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "GET", + "auth": null + }, + "response": [ + { + "id": "167b61ec-7920-48c4-991f-6e5b5d38509d", + "name": "Successful operation", + "originalRequest": { + "url": { + "path": [ + "products" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [] + }, + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "GET", + "body": {} + }, + "status": "OK", + "code": 200, + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": "{\n \"name\": \"apple\",\n \"id\": 10,\n \"description\": \"description of the product\",\n \"price\": 20\n}", + "cookie": [], + "_postman_previewlanguage": "json" + } + ], + "event": [ + { + "listen": "test", + "script": { + "exec": [ + " \n// ********RoostGPT********\n/*\nTest generated by RoostGPT for test postman-openapi using AI Type Azure Open AI and AI Model roost-gpt4-32k\n\n\nTest generated for /products for http method type get in postman framework\n================================VULNERABILITIES================================\nVulnerability: CWE-209: Information Exposure Through an Error Message\nIssue: Product details are getting logged. This might expose product related sensitive information. This happens on log lines 1 & 3\nSolution: Do not log sensitive information. If it is necessary for troubleshooting, ensure logs are properly protected and encrypted.\n\nVulnerability: CWE-532: Information Exposure Through Log Files\nIssue: IDs and other product details are exposed when a product details are retrieved. This happens on log lines 3 & 5\nSolution: Avoid logging PII or sensitive data where possible. Anonymize or pseudonymize the data before logging wherever possible.\n\n================================================================================\n\n*/\n\n// ********RoostGPT********\n\nlet responseData;\nconst contentType = pm.response.headers.get('Content-Type');\nif(contentType === \"application/xml\"){\n responseData = xml2Json(responseBody);\n} else{\n responseData = pm.response.json();\n}\nif (pm.variables.get(\"statusCode\")) {\n // Compare the statusCode variable with the response code for assertion\n pm.expect(parseInt(pm.variables.get(\"statusCode\"))).to.be.equal(pm.response.code);\n}\n\n// let responseTime = 800\n// pm.expect(pm.response.responseTime).to.be.below(responseTime);\n\nif (pm.response.code == 200){\n pm.test(\"Successful operation\", function () {\n pm.expect(pm.response.status).to.be.eql(\"OK\");\n if(Array.isArray(responseData)) {\n pm.test('Response has the `id` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData[0], `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `id` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData, `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`name`)){\n if(pm.expect(_.get(responseData[0], `name`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`name`)){\n if(pm.expect(_.get(pm.response.json(), `name`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`description`)){\n if(pm.expect(_.get(responseData[0], `description`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`description`)){\n if(pm.expect(_.get(pm.response.json(), `description`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `price` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData[0], `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `price` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData, `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n});\n}\n" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "disableBodyPruning": true + } + }, + { + "id": "95ca707d-8eb5-40c1-939d-a88463da2f87", + "name": "Add a new product to the store", + "request": { + "name": "Add a new product to the store", + "description": { + "content": "Add a new product to the store", + "type": "text/plain" + }, + "url": { + "path": [ + "products" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [] + }, + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "POST", + "auth": null, + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"{{name}}\",\n \"id\": \"{{id}}\",\n \"description\": \"{{description}}\",\n \"price\": \"{{price}}\"\n}", + "options": { + "raw": { + "language": "json" + } + } + } + }, + "response": [ + { + "id": "fbc56437-29ad-45dc-b4ae-6ff951592e53", + "name": "Successful operation", + "originalRequest": { + "url": { + "path": [ + "products" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [] + }, + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "POST", + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"{{name}}\",\n \"id\": \"{{id}}\",\n \"description\": \"{{description}}\",\n \"price\": \"{{price}}\"\n}", + "options": { + "raw": { + "language": "json" + } + } + } + }, + "status": "OK", + "code": 200, + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": "{\n \"name\": \"apple\",\n \"id\": 10,\n \"description\": \"description of the product\",\n \"price\": 20\n}", + "cookie": [], + "_postman_previewlanguage": "json" + }, + { + "id": "b89a943d-26b3-44e1-87f3-5ef1dc2b2044", + "name": "Invalid input", + "originalRequest": { + "url": { + "path": [ + "products" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [] + }, + "method": "POST", + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"{{name}}\",\n \"id\": \"{{id}}\",\n \"description\": \"{{description}}\",\n \"price\": \"{{price}}\"\n}", + "options": { + "raw": { + "language": "json" + } + } + } + }, + "status": "Method Not Allowed", + "code": 405, + "header": [ + { + "key": "Content-Type", + "value": "text/plain" + } + ], + "body": "", + "cookie": [], + "_postman_previewlanguage": "text" + } + ], + "event": [ + { + "listen": "test", + "script": { + "exec": [ + " \n// ********RoostGPT********\n/*\nTest generated by RoostGPT for test postman-openapi using AI Type Azure Open AI and AI Model roost-gpt4-32k\n\n\nTest generated for /products for http method type post in postman framework\n================================VULNERABILITIES================================\nVulnerability: Exposure of Internal Processes\nIssue: Detailed internal application process are being logged. A sophisticated intruder who gets access to the logs will be able to decipher application process routes\nSolution: Minimize internal process logs to the barest minimum necessary. Only log sensitive actions in a secured and encrypted logging system.\n\nVulnerability: PII Exposure\nIssue: Products are being created with name which may constitute PII and exposed in the logs\nSolution: Avoid logging PII information. If logging this is unavoidable, anonymize or pseudonymize these information before logging.\n\nVulnerability: Insecure Product ID Creation\nIssue: Product IDs are not sequentially created and have a predictable pattern, which could possibly lead to an enumeration attack\nSolution: Implement unpredictable and non-sequential identifiers for newly created objects.\n\n================================================================================\n\n*/\n\n// ********RoostGPT********\n\nlet responseData;\nconst contentType = pm.response.headers.get('Content-Type');\nif(contentType === \"application/xml\"){\n responseData = xml2Json(responseBody);\n} else{\n responseData = pm.response.json();\n}\nif (pm.variables.get(\"statusCode\")) {\n // Compare the statusCode variable with the response code for assertion\n pm.expect(parseInt(pm.variables.get(\"statusCode\"))).to.be.equal(pm.response.code);\n}\n\n// let responseTime = 800\n// pm.expect(pm.response.responseTime).to.be.below(responseTime);\n\nif (pm.response.code == 200){\n pm.test(\"Successful operation\", function () {\n pm.expect(pm.response.status).to.be.eql(\"OK\");\n if(Array.isArray(responseData)) {\n pm.test('Response has the `id` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData[0], `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `id` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData, `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`name`)){\n if(pm.expect(_.get(responseData[0], `name`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`name`)){\n if(pm.expect(_.get(pm.response.json(), `name`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`description`)){\n if(pm.expect(_.get(responseData[0], `description`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`description`)){\n if(pm.expect(_.get(pm.response.json(), `description`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `price` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData[0], `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `price` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData, `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n});\n}\n\nif (pm.response.code == 405){\n pm.test(\"Invalid input\", function () {\n pm.expect(pm.response.status).to.be.eql(\"Method Not Allowed\");});\n}\n" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "disableBodyPruning": true + } + }, + { + "id": "612c9633-8b17-4c3f-9017-492b47a74148", + "name": "{productId}", + "item": [ + { + "id": "c2cb05fa-d6d5-4944-94c8-e58922e58bf3", + "name": "Find product by ID", + "request": { + "name": "Find product by ID", + "description": { + "content": "Returns a single product", + "type": "text/plain" + }, + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) ID of product to return" + } + ] + }, + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "GET", + "auth": null + }, + "response": [ + { + "id": "63a3772e-df61-48d3-afbc-998bbed8c906", + "name": "successful operation", + "originalRequest": { + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) ID of product to return" + } + ] + }, + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "GET", + "body": {} + }, + "status": "OK", + "code": 200, + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": "{\n \"name\": \"apple\",\n \"id\": 10,\n \"description\": \"description of the product\",\n \"price\": 20\n}", + "cookie": [], + "_postman_previewlanguage": "json" + }, + { + "id": "081ee20a-c81f-484e-aa37-06267acbcc25", + "name": "Product not found", + "originalRequest": { + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) ID of product to return" + } + ] + }, + "method": "GET", + "body": {} + }, + "status": "Not Found", + "code": 404, + "header": [ + { + "key": "Content-Type", + "value": "text/plain" + } + ], + "body": "", + "cookie": [], + "_postman_previewlanguage": "text" + } + ], + "event": [ + { + "listen": "test", + "script": { + "exec": [ + " \n// ********RoostGPT********\n/*\nTest generated by RoostGPT for test postman-openapi using AI Type Azure Open AI and AI Model roost-gpt4-32k\n\n\nTest generated for /products/:productId for http method type get in postman framework\n================================VULNERABILITIES================================\nVulnerability: Potential Information Disclosure\nIssue: Product details including product ID, Name, Description and Price are being logged. These are considered sensitive information and should not be logged in plaintext for the sake of GDPR compliance. Occurs in log lines corresponding to '/api/products/1' and '/api/products/2'\nSolution: Inner workings of the application, and especially any form of PII data, should not be revealed in the logs. The application should be modified to avoid logging sensitive information in plaintext.\n\n================================================================================\n\n*/\n\n// ********RoostGPT********\n\nlet responseData;\nconst contentType = pm.response.headers.get('Content-Type');\nif(contentType === \"application/xml\"){\n responseData = xml2Json(responseBody);\n} else{\n responseData = pm.response.json();\n}\nif (pm.variables.get(\"statusCode\")) {\n // Compare the statusCode variable with the response code for assertion\n pm.expect(parseInt(pm.variables.get(\"statusCode\"))).to.be.equal(pm.response.code);\n}\n\n// let responseTime = 800\n// pm.expect(pm.response.responseTime).to.be.below(responseTime);\n\nif (pm.response.code == 200){\n pm.test(\"successful operation\", function () {\n pm.expect(pm.response.status).to.be.eql(\"OK\");\n if(Array.isArray(responseData)) {\n pm.test('Response has the `id` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData[0], `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `id` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData, `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`name`)){\n if(pm.expect(_.get(responseData[0], `name`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`name`)){\n if(pm.expect(_.get(pm.response.json(), `name`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`description`)){\n if(pm.expect(_.get(responseData[0], `description`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`description`)){\n if(pm.expect(_.get(pm.response.json(), `description`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `price` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData[0], `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `price` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData, `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n});\n}\n\nif (pm.response.code == 404){\n pm.test(\"Product not found\", function () {\n pm.expect(pm.response.status).to.be.eql(\"Not Found\");});\n}\n" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "disableBodyPruning": true + } + }, + { + "id": "a23d71f6-2933-438e-b465-66d5d408e868", + "name": "Updates a product in the store with form data", + "request": { + "name": "Updates a product in the store with form data", + "description": { + "content": "", + "type": "text/plain" + }, + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) ID of product that needs to be updated" + } + ] + }, + "header": [ + { + "key": "Content-Type", + "value": "application/json" + }, + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "PUT", + "auth": null, + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"{{name}}\",\n \"id\": \"{{id}}\",\n \"description\": \"{{description}}\",\n \"price\": \"{{price}}\"\n}", + "options": { + "raw": { + "language": "json" + } + } + } + }, + "response": [ + { + "id": "c5fb595a-0f3f-4026-9100-9b80b2c14e45", + "name": "Updated Product", + "originalRequest": { + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) ID of product that needs to be updated" + } + ] + }, + "header": [ + { + "key": "Accept", + "value": "application/json" + } + ], + "method": "PUT", + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"{{name}}\",\n \"id\": \"{{id}}\",\n \"description\": \"{{description}}\",\n \"price\": \"{{price}}\"\n}", + "options": { + "raw": { + "language": "json" + } + } + } + }, + "status": "OK", + "code": 200, + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": "{\n \"name\": \"apple\",\n \"id\": 10,\n \"description\": \"description of the product\",\n \"price\": 20\n}", + "cookie": [], + "_postman_previewlanguage": "json" + }, + { + "id": "ad3e1e2a-4a5b-4a19-adb6-bef1ff006eb4", + "name": "Not Found", + "originalRequest": { + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) ID of product that needs to be updated" + } + ] + }, + "method": "PUT", + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"{{name}}\",\n \"id\": \"{{id}}\",\n \"description\": \"{{description}}\",\n \"price\": \"{{price}}\"\n}", + "options": { + "raw": { + "language": "json" + } + } + } + }, + "status": "Not Found", + "code": 404, + "header": [ + { + "key": "Content-Type", + "value": "text/plain" + } + ], + "body": "", + "cookie": [], + "_postman_previewlanguage": "text" + } + ], + "event": [ + { + "listen": "test", + "script": { + "exec": [ + " \n// ********RoostGPT********\n/*\nTest generated by RoostGPT for test postman-openapi using AI Type Azure Open AI and AI Model roost-gpt4-32k\n\n\nTest generated for /products/:productId for http method type put in postman framework\n================================VULNERABILITIES================================\nVulnerability: None\nIssue: No vulnerability or sensitive information exposure detected in the provided log entries.\nSolution: N/A\n\n================================================================================\n\n*/\n\n// ********RoostGPT********\n\nlet responseData;\nconst contentType = pm.response.headers.get('Content-Type');\nif(contentType === \"application/xml\"){\n responseData = xml2Json(responseBody);\n} else{\n responseData = pm.response.json();\n}\nif (pm.variables.get(\"statusCode\")) {\n // Compare the statusCode variable with the response code for assertion\n pm.expect(parseInt(pm.variables.get(\"statusCode\"))).to.be.equal(pm.response.code);\n}\n\n// let responseTime = 800\n// pm.expect(pm.response.responseTime).to.be.below(responseTime);\n\nif (pm.response.code == 200){\n pm.test(\"Updated Product\", function () {\n pm.expect(pm.response.status).to.be.eql(\"OK\");\n if(Array.isArray(responseData)) {\n pm.test('Response has the `id` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData[0], `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `id` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`id`)){\n if(pm.expect(_.get(responseData, `id`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `id`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`name`)){\n if(pm.expect(_.get(responseData[0], `name`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `name` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`name`)){\n if(pm.expect(_.get(pm.response.json(), `name`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `name`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(responseData[0]).to.have.nested.property(`description`)){\n if(pm.expect(_.get(responseData[0], `description`, null)).to.exist){\n pm.expect(typeof _.get(responseData[0], `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `description` field',function(){\n if(pm.expect(pm.response.json()).to.have.nested.property(`description`)){\n if(pm.expect(_.get(pm.response.json(), `description`, null)).to.exist){\n pm.expect(typeof _.get(pm.response.json(), `description`, null)).to.equal(\"string\");\n }\n }\n\n })\n }\n\n if(Array.isArray(responseData)) {\n pm.test('Response has the `price` field',function(){ \n if(pm.expect(responseData[0]).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData[0], `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData[0], `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n } else {\n pm.test('Response has the `price` field',function(){\n if(pm.expect(responseData).to.have.nested.property(`price`)){\n if(pm.expect(_.get(responseData, `price`, 200)).to.exist){\n pm.expect(typeof _.get(responseData, `price`, 200)).to.equal(\"number\");\n }\n }\n\n })\n }\n});\n}\n\nif (pm.response.code == 404){\n pm.test(\"Not Found\", function () {\n pm.expect(pm.response.status).to.be.eql(\"Not Found\");});\n}\n" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "disableBodyPruning": true + } + }, + { + "id": "b62cb3a2-f070-43ad-a815-08487300d4c7", + "name": "Deletes a product", + "request": { + "name": "Deletes a product", + "description": { + "content": "delete a product", + "type": "text/plain" + }, + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) Product id to delete" + } + ] + }, + "method": "DELETE", + "auth": null + }, + "response": [ + { + "id": "a7c84229-f7bf-4a07-be18-fd7a97ac66b4", + "name": "Product deleted", + "originalRequest": { + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) Product id to delete" + } + ] + }, + "method": "DELETE", + "body": {} + }, + "status": "OK", + "code": 200, + "header": [ + { + "key": "Content-Type", + "value": "text/plain" + } + ], + "body": "", + "cookie": [], + "_postman_previewlanguage": "text" + }, + { + "id": "0bae88d3-ad4e-4f11-95da-c1b6d1d0deee", + "name": "Not Found", + "originalRequest": { + "url": { + "path": [ + "products", + ":productId" + ], + "host": [ + "{{baseUrl}}" + ], + "query": [], + "variable": [ + { + "disabled": false, + "type": "any", + "value": "{{productId}}", + "key": "productId", + "description": "(Required) Product id to delete" + } + ] + }, + "method": "DELETE", + "body": {} + }, + "status": "Not Found", + "code": 404, + "header": [ + { + "key": "Content-Type", + "value": "text/plain" + } + ], + "body": "", + "cookie": [], + "_postman_previewlanguage": "text" + } + ], + "event": [ + { + "listen": "test", + "script": { + "exec": [ + " \n// ********RoostGPT********\n/*\nTest generated by RoostGPT for test postman-openapi using AI Type Azure Open AI and AI Model roost-gpt4-32k\n\n\nTest generated for /products/:productId for http method type delete in postman framework\n================================VULNERABILITIES================================\nVulnerability: Insufficient Logging & Monitoring (CWE-778)\nIssue: Log entries do not contain enough information. In particular, user identity or IP information during product deletion requests are not logged, which might make it difficult to track malicious actions.\nSolution: Enhance the logging strategy by including user or originator information in the logs during API requests.\n\nVulnerability: Logging of Potential Failures (CWE-779)\nIssue: Failure to log unsuccessful delete requests can prevent the detection of repeated failed attempts, which might signify a potential security breach.\nSolution: Include unsuccessful API requests and their information in logs. This can help detect unusual patterns and potential security threats.\n\nVulnerability: Insecure Direct Object References (IDOR)\nIssue: The logs indicate operations dealing with direct object references (products/2, products/3 etc.). If these references are not securely verified and handled, this could lead to unauthorized data access or manipulation.\nSolution: Implement access controls such as role checks or ownership verification before processing API requests. You can also use indirect object references instead of direct.\n\n================================================================================\n\n*/\n\n// ********RoostGPT********\n\nlet responseData;\nconst contentType = pm.response.headers.get('Content-Type');\nif(contentType === \"application/xml\"){\n responseData = xml2Json(responseBody);\n} else{\n responseData = pm.response.json();\n}\nif (pm.variables.get(\"statusCode\")) {\n // Compare the statusCode variable with the response code for assertion\n pm.expect(parseInt(pm.variables.get(\"statusCode\"))).to.be.equal(pm.response.code);\n}\n\n// let responseTime = 800\n// pm.expect(pm.response.responseTime).to.be.below(responseTime);\n\nif (pm.response.code == 200){\n pm.test(\"Product deleted\", function () {\n pm.expect(pm.response.status).to.be.eql(\"OK\");});\n}\n\nif (pm.response.code == 404){\n pm.test(\"Not Found\", function () {\n pm.expect(pm.response.status).to.be.eql(\"Not Found\");});\n}\n" + ], + "type": "text/javascript" + } + } + ], + "protocolProfileBehavior": { + "disableBodyPruning": true + } + } + ], + "event": [] + } + ], + "event": [] + } + ], + "event": [], + "variable": [ + { + "type": "string", + "value": "http://52.66.106.18:8080/api", + "key": "baseUrl" + }, + { + "type": "integer", + "value": 200, + "key": "statusCode" + } + ], + "info": { + "_postman_id": "aa561fc3-8dd1-4ffa-a981-5d443e5c1bfb", + "name": "Swagger My-Products - OpenAPI 3.0", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json", + "description": { + "content": "This page is for my products api spec", + "type": "text/plain" + } + } +} \ No newline at end of file diff --git a/postman_collections/postman-openapi/Add_a_new_product_to_the_store.csv b/postman_collections/postman-openapi/Add_a_new_product_to_the_store.csv new file mode 100644 index 00000000..6d6041e7 --- /dev/null +++ b/postman_collections/postman-openapi/Add_a_new_product_to_the_store.csv @@ -0,0 +1,4 @@ +name,id,description,price,statusCode,scenario +apple,10,description of the product,20,200,Successful operation +Chips,9,Chips,120,405,Invalid input +new Chips,9,new Chips,120,405,Invalid input \ No newline at end of file diff --git a/postman_collections/postman-openapi/Deletes_a_product.csv b/postman_collections/postman-openapi/Deletes_a_product.csv new file mode 100644 index 00000000..20f63a26 --- /dev/null +++ b/postman_collections/postman-openapi/Deletes_a_product.csv @@ -0,0 +1,3 @@ +productId,statusCode,scenario +2,200,Product deleted +3,404,Not Found \ No newline at end of file diff --git a/postman_collections/postman-openapi/Find_product_by_ID.csv b/postman_collections/postman-openapi/Find_product_by_ID.csv new file mode 100644 index 00000000..55b1ccdc --- /dev/null +++ b/postman_collections/postman-openapi/Find_product_by_ID.csv @@ -0,0 +1,4 @@ +productId,statusCode,scenario +1,200,successful operation +2,200,successful operation +10,404,Product not found \ No newline at end of file diff --git a/postman_collections/postman-openapi/Updates_a_product_in_the_store_with_form_data.csv b/postman_collections/postman-openapi/Updates_a_product_in_the_store_with_form_data.csv new file mode 100644 index 00000000..3b6457ba --- /dev/null +++ b/postman_collections/postman-openapi/Updates_a_product_in_the_store_with_form_data.csv @@ -0,0 +1,5 @@ +productId,name,id,description,price,statusCode,scenario +1,Chips,1,Lays,120,200,Updated Product +1,Chips,1,Lays,120,404,Not Found +567,randomItem,26,some description,300,200,Updated Product +465,randomItem,98,some description,150,404,Not Found \ No newline at end of file