From cf7cb00a7c64136b8473e9a8de5bf90b4d0a2447 Mon Sep 17 00:00:00 2001 From: roost-io Date: Mon, 1 Apr 2024 11:59:24 +0000 Subject: [PATCH] API test (Using API Spec) generated by RoostGPT Using AI Model roostgpt-4-32k --- api_tests/products_get_others.csv | 11 +++ api_tests/products_get_others.yaml | 76 ++++++++++++++++ api_tests/products_get_success.csv | 11 +++ api_tests/products_get_success.yaml | 45 ++++++++++ api_tests/products_post_others.csv | 11 +++ api_tests/products_post_others.yaml | 70 +++++++++++++++ api_tests/products_post_success.csv | 11 +++ api_tests/products_post_success.yaml | 57 ++++++++++++ .../products_productId_delete_others.csv | 11 +++ .../products_productId_delete_others.yaml | 72 ++++++++++++++++ .../products_productId_delete_success.csv | 11 +++ .../products_productId_delete_success.yaml | 37 ++++++++ api_tests/products_productId_get_others.csv | 11 +++ api_tests/products_productId_get_others.yaml | 75 ++++++++++++++++ api_tests/products_productId_get_success.csv | 11 +++ api_tests/products_productId_get_success.yaml | 85 ++++++++++++++++++ api_tests/products_productId_put_others.csv | 11 +++ api_tests/products_productId_put_others.yaml | 86 +++++++++++++++++++ api_tests/products_productId_put_success.csv | 11 +++ api_tests/products_productId_put_success.yaml | 53 ++++++++++++ 20 files changed, 766 insertions(+) create mode 100644 api_tests/products_get_others.csv create mode 100644 api_tests/products_get_others.yaml create mode 100644 api_tests/products_get_success.csv create mode 100644 api_tests/products_get_success.yaml create mode 100644 api_tests/products_post_others.csv create mode 100644 api_tests/products_post_others.yaml create mode 100644 api_tests/products_post_success.csv create mode 100644 api_tests/products_post_success.yaml create mode 100644 api_tests/products_productId_delete_others.csv create mode 100644 api_tests/products_productId_delete_others.yaml create mode 100644 api_tests/products_productId_delete_success.csv create mode 100644 api_tests/products_productId_delete_success.yaml create mode 100644 api_tests/products_productId_get_others.csv create mode 100644 api_tests/products_productId_get_others.yaml create mode 100644 api_tests/products_productId_get_success.csv create mode 100644 api_tests/products_productId_get_success.yaml create mode 100644 api_tests/products_productId_put_others.csv create mode 100644 api_tests/products_productId_put_others.yaml create mode 100644 api_tests/products_productId_put_success.csv create mode 100644 api_tests/products_productId_put_success.yaml diff --git a/api_tests/products_get_others.csv b/api_tests/products_get_others.csv new file mode 100644 index 00000000..864ccf4c --- /dev/null +++ b/api_tests/products_get_others.csv @@ -0,0 +1,11 @@ +id,name,description,price +1,Chips,Uncle Chips,120.0 +2,Cookies,Oreo Cookies,99.99 +3,Soap,Lifebuoy,50.0 +4,Shampoo,Head & Shoulders,180.5 +5,Chocolate,Cadbury Dairy Milk,85.25 +6,Milk,Amul,55.0 +7,Butter,Amul Butter,110.75 +8,Maggi,Maggi Masala,15.0 +9,Bread,Harvest,40.5 +10,Eggs,Fresh Eggs,60.0 diff --git a/api_tests/products_get_others.yaml b/api_tests/products_get_others.yaml new file mode 100644 index 00000000..3152cc63 --- /dev/null +++ b/api_tests/products_get_others.yaml @@ -0,0 +1,76 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: Exposure of sensitive product information +# Issue: The product details including the 'id', 'name', 'description' and 'price' are being logged publicly and can be exposed to unauthorized personnel. Refer to the log line timestamps '22-06-2023 06:16:52.660' and '22-06-2023 06:16:54.972'. +# Solution: Consider redacting or using data anonymization techniques for product information in logs to protect from unauthorized exposure. Use configurable log levels to control the type of information that gets logged in different environments. +# +# Vulnerability: GDPR non-compliance - unnecessary data retention +# Issue: Log entries indicate that all product information is being retained indefinitely including the 'id', 'name', 'description', and 'price', which could potentially violate GDPR principles. +# Solution: Establish and enforce a data retention policy that includes deleting the logs after a specified duration, anonymizing the data, or moving the log data to secure storage. +# +# ================================================================================ +# Test generated for /products_get for http method type GET in artillery framework +# RoostTestHash=ed0d766b50 +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + phases: + - duration: 60 + arrivalRate: 20 + payload: + path: "products_get_others.csv" + fields: + - "id" + - "name" + - "description" + - "price" + plugins: + expect: {} + +scenarios: + - name: "Failure cases, edge cases, and error handling" + flow: + - get: + url: "/unexisting" + headers: + Authorization: "Bearer {{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 404 + - think: 1 + - get: + url: "/products/error" + headers: + Authorization: "Bearer {{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 500 + - hasHeader: "Content-Type" + - think: 1 + - post: + url: "/products" + json: + id: "#{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + headers: + Authorization: "Bearer {{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 400 + - hasHeader: "Content-Type" + - hasProperty: "errors[0].message" + - think: 1 + - get: + url: "/products/{id}" + headers: + Authorization: "Bearer {{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 400 + - hasHeader: "Content-Type" + - hasProperty: "error" + - think: 1 diff --git a/api_tests/products_get_success.csv b/api_tests/products_get_success.csv new file mode 100644 index 00000000..0ca357c6 --- /dev/null +++ b/api_tests/products_get_success.csv @@ -0,0 +1,11 @@ +id,name,description,price +1,Apple,Fresh Apples,100 +2,Chips,Delicious Potato Chips,50 +3,Soda,Refreshing Cola Soda,60 +4,Pizza,Cheesy Pepperoni Pizza,200 +5,Water,Refreshing Mineral Water,30 +6,Milk,Nutritious Cow Milk,70 +7,Orange,Fresh Oranges,80 +8,Cheese,Dairy Farm Cheese,120 +9,Bread,Whole Wheat Bread,40 +10,Oats,Healthy Breakfast Oats,90 diff --git a/api_tests/products_get_success.yaml b/api_tests/products_get_success.yaml new file mode 100644 index 00000000..96e3bafd --- /dev/null +++ b/api_tests/products_get_success.yaml @@ -0,0 +1,45 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: None +# Issue: No issues identified based on the provided logs. +# Solution: Consider keeping debug or error logs to potentially spot hidden issues or vulnerabilities. +# +# ================================================================================ +# Test generated for /products_get for http method type GET in artillery framework +# RoostTestHash=ed0d766b50 +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + plugins: + expect: {} + payload: + path: "products_get_success.csv" + fields: + - "id" + - "name" + - "description" + - "price" + skipHeader: true + http: + headers: + Authorization: "{{$processEnvironment.AUTH_TOKEN}}" + +scenarios: + - name: "GET all products" + flow: + - think: 3 + - get: + url: "/products" + expect: + - statusCode: 200 + - hasProperty: "name" + - hasProperty: "id" + - hasProperty: "description" + - hasProperty: "price" + - think: 3 diff --git a/api_tests/products_post_others.csv b/api_tests/products_post_others.csv new file mode 100644 index 00000000..df2256a6 --- /dev/null +++ b/api_tests/products_post_others.csv @@ -0,0 +1,11 @@ +id,name,description,price +1,Apple,Red apple,50 +2,Banana,Yellow Banana,30 +3,Grapes,Green Grapes,100 +4,Guava,Green Guava,70 +5,null,Mango,90 +6,Watermelon,Watermelon,150 +7,Apricot,Apricot,120 +8,Tomato,Red Tomato,40 +abn,Squash,Orange Squash,180 +10,Cabbage,Green Cabbage, diff --git a/api_tests/products_post_others.yaml b/api_tests/products_post_others.yaml new file mode 100644 index 00000000..6f3a7415 --- /dev/null +++ b/api_tests/products_post_others.yaml @@ -0,0 +1,70 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: Exposed product data +# Issue: The logs are showing the detail information about products (like id, name, description, price) on lines: 1 and 3. Although this is not a security flaw in a strict sense, it might give valuable information about the internal workings of the application to a potential attacker. +# Solution: Implement logging policies to minimize exposure of unnecessary system and product details. Remove or anonymize potentially sensitive data. +# +# ================================================================================ +# Test generated for /products_post for http method type POST in artillery framework +# RoostTestHash=2c080099fd +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + plugins: + expect: {} + payload: + path: "products_post_others.csv" + fields: ["id", "name", "description", "price"] + skipHeader: true + environments: + dev: + target: "http://localhost:5000" + +scenarios: + - name: "Add new product with wrong details" + flow: + # Scenario with missing product ID + - post: + url: "/products" + json: + id: "{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + expect: + - statusCode: 400 + - think: 2 + + # Scenario with wrong auth token and valid product details + - post: + url: "/products" + json: + id: 10 + name: "apple" + description: "description of the product" + price: 20 + headers: + Authorization: "Bearer WrongTokenValue" + expect: + - statusCode: 401 + - think: 2 + + # Scenario with valid product details but wrong URL + - post: + url: "/wrong/url/path" + json: + id: 10 + name: "apple" + description: "description of the product" + price: 20 + headers: + Authorization: "Bearer {{$processEnvironment.AUTH_TOKEN}}" + expect: + - statusCode: 404 + - think: 2 diff --git a/api_tests/products_post_success.csv b/api_tests/products_post_success.csv new file mode 100644 index 00000000..fdd684da --- /dev/null +++ b/api_tests/products_post_success.csv @@ -0,0 +1,11 @@ +id,name,description,price +1,Apple,Delicious red apple,100 +2,Orange,Sweet and sour orange,80 +3,Banana,Yellow ripe banana,50 +4,Chips,Crispy Potato Chips,120 +5,Bread,Freshly baked bread,200 +6,Milk,Nutritious cow's milk,130 +7,Eggs,Fresh farm eggs,90 +8,Cheese,Delicious cheddar cheese,170 +9,Butter,Creamy salted butter,140 +10,Ham,Smoked and sliced ham,180 diff --git a/api_tests/products_post_success.yaml b/api_tests/products_post_success.yaml new file mode 100644 index 00000000..52367f27 --- /dev/null +++ b/api_tests/products_post_success.yaml @@ -0,0 +1,57 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: Insufficient Log Details +# Issue: The given logs do not provide adequate information about system interactions, database connections, or transaction states. This could limit the ability to detect and diagnose issues or security incidents. Current logs primarily represent success states of 'Product Creation' and do not mention any errors or exceptions. +# Solution: Increase the verbosity of the logs where applicable, especially around database connections, transaction states, and client-system interactions. Ensure that error and exception logs are appropriately captured and stored. +# +# Vulnerability: Lack of Unique Identifier for Requests +# Issue: Non-existence of unique identifiers for the requests in the system prevents adequate tracking of actions performed on the system. +# Solution: Integrate a unique identifier (such as a UUID) for each incoming request. This can be done by attaching these identifiers to the logging context, making it possible to identify actions linked with specific requests across log entries. +# +# ================================================================================ +# Test generated for /products_post for http method type POST in artillery framework +# RoostTestHash=2c080099fd +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + environments: + env: + variables: + AUTH_TOKEN: "{{ $processEnvironment.AUTH_TOKEN }}" + plugins: + expect: {} + payload: + path: "products_post_success.csv" + fields: + - "id" + - "name" + - "description" + - "price" + skipHeader: true + +scenarios: + - name: "Product creation sequence" + flow: + # Create product and expect successful response + - post: + url: "/products" + headers: + Content-Type: "application/json" + Authorization: "Bearer {{ AUTH_TOKEN }}" + json: + id: "{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + expect: + - statusCode: 200 + - hasProperty: ["id", "name", "description", "price"] + - contentType: "application/json" + - think: 1 + diff --git a/api_tests/products_productId_delete_others.csv b/api_tests/products_productId_delete_others.csv new file mode 100644 index 00000000..01f18c4f --- /dev/null +++ b/api_tests/products_productId_delete_others.csv @@ -0,0 +1,11 @@ +productId +2 +3 +15 +29 +75 +1000 +2001 +darknight +667.89 +222222222222222 diff --git a/api_tests/products_productId_delete_others.yaml b/api_tests/products_productId_delete_others.yaml new file mode 100644 index 00000000..bcf874af --- /dev/null +++ b/api_tests/products_productId_delete_others.yaml @@ -0,0 +1,72 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: Not Detected +# Issue: No issues or vulnerabilities detected in the provided logs. +# Solution: No action required based on the provided logs. +# +# ================================================================================ +# Test generated for /products/{productId}_delete for http method type DELETE in artillery framework +# RoostTestHash=47d9fe845f +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + plugins: + expect: {} + payload: + path: "products_productId_delete_others.csv" + fields: + - "productId" + skipHeader: true + +scenarios: + - name: "Failure/Edge/Error Case: DELETE /products/{productId}" + flow: + - think: 1 + - delete: + url: "/products/{{ productId }}" + headers: + content-type: "application/json" + Authorization: "{{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 404 + - hasProperty: 'message' + - equals: + message: "Error: Product not found" + - think: 1 + - delete: + url: "/products/" + headers: + content-type: "application/json" + Authorization: "{{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 405 + - hasProperty: 'message' + - equals: + message: "Error: Invalid request. Please provide a valid product ID" + - think: 1 + - delete: + url: "/products/{{ productId }}" + headers: + content-type: "application/json" + expect: + - statusCode: 403 + - hasProperty: 'message' + - equals: + message: "Error: Unauthorized. Please provide a valid Authorization token" + - think: 1 + - delete: + url: "/invalidpath/{{ productId }}" + headers: + content-type: "application/json" + Authorization: "{{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 404 + - hasProperty: 'message' + - equals: + message: "Error: Invalid URL path" diff --git a/api_tests/products_productId_delete_success.csv b/api_tests/products_productId_delete_success.csv new file mode 100644 index 00000000..db31df5d --- /dev/null +++ b/api_tests/products_productId_delete_success.csv @@ -0,0 +1,11 @@ +productId +1 +2 +3 +4 +5 +6 +7 +8 +9 +10 diff --git a/api_tests/products_productId_delete_success.yaml b/api_tests/products_productId_delete_success.yaml new file mode 100644 index 00000000..03684dcd --- /dev/null +++ b/api_tests/products_productId_delete_success.yaml @@ -0,0 +1,37 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# Test generated for /products/{productId}_delete for http method type DELETE in artillery framework +# RoostTestHash=47d9fe845f +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + environments: + development: + target: "http://localhost:3000" + plugins: + expect: {} + payload: + path: "products_productId_delete_success.csv" + fields: + - "productId" + +scenarios: + - name: "Delete product API success scenario" + flow: + - comment: Deletes a product with a valid productId + - delete: + url: "/products/{{ productId }}" + headers: + AUTH: "{{$processEnvironment.AUTH_TOKEN}}" + - expect: + - statusCode: 200 + - hasProperty: 'message' + - equals: + - "message" + - "Product deleted" + - think: 1 diff --git a/api_tests/products_productId_get_others.csv b/api_tests/products_productId_get_others.csv new file mode 100644 index 00000000..db31df5d --- /dev/null +++ b/api_tests/products_productId_get_others.csv @@ -0,0 +1,11 @@ +productId +1 +2 +3 +4 +5 +6 +7 +8 +9 +10 diff --git a/api_tests/products_productId_get_others.yaml b/api_tests/products_productId_get_others.yaml new file mode 100644 index 00000000..22850e84 --- /dev/null +++ b/api_tests/products_productId_get_others.yaml @@ -0,0 +1,75 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: Potential Sensitive Data Exposure (CWE-200) +# Issue: Product information includes potentially sensitive data (line 4). +# Solution: Ensure the API responses do not contain sensitive data. If it is necessary to include such data, encrypt fields that contain sensitive data and ensure secure transmission of data. +# +# ================================================================================ +# Test generated for /products/{productId}_get for http method type GET in artillery framework +# RoostTestHash=52a171b52e +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + plugins: + expect: {} + environments: + dev: + target: "http://dev.api.example.com" + http: + timeout: 10 + payload: + path: "products_productId_get_others.csv" + fields: + - "productId" + skipHeader: true + +scenarios: + - name: "Get product by ID - Error Cases" + flow: + - get: + url: "/products/{{ productId }}" + headers: + Content-Type: "application/json" + authorization: "InvalidToken" + expect: + - statusCode: 401 + - think: 1 + - get: + url: "/products/{{ productId }}" + headers: + Content-Type: "application/json" + expect: + - statusCode: 401 + - think: 1 + - get: + url: "/products/999999" + headers: + Content-Type: "application/json" + authorization: "Bearer {{$processEnvironment.AUTH_TOKEN}}" + expect: + - statusCode: 404 + - think: 1 + - get: + url: "/prodcts/{{ productId }}" + headers: + Content-Type: "application/json" + authorization: "Bearer {{$processEnvironment.AUTH_TOKEN}}" + expect: + - statusCode: 404 + - think: 1 + - get: + url: "/products/abc" + headers: + Content-Type: "application/json" + authorization: "Bearer {{$processEnvironment.AUTH_TOKEN}}" + expect: + - statusCode: 400 + - hasProperty: "errors" + - hasProperty: "errors[0].code" + - equals: ["errors[0].code", "invalid_parameter"] diff --git a/api_tests/products_productId_get_success.csv b/api_tests/products_productId_get_success.csv new file mode 100644 index 00000000..5f2f6736 --- /dev/null +++ b/api_tests/products_productId_get_success.csv @@ -0,0 +1,11 @@ +id,name,description,price +1,Apple,Red and delicious,100 +2,Banana,Yellow and sweet,50 +3,Cherry,Small and tasty,200 +4,Dates,Sweet and chewy,150 +5,Eggplant,Purple and healthy,80 +6,Fig,Sweet and crunchy,130 +7,Grape,Small and juicy,90 +8,Honeydew,Mellow and sweet,120 +9,Iceberg lettuce,Crisp and fresh,60 +10,Jalapeno,Hot and spicy,70 diff --git a/api_tests/products_productId_get_success.yaml b/api_tests/products_productId_get_success.yaml new file mode 100644 index 00000000..1df934ca --- /dev/null +++ b/api_tests/products_productId_get_success.yaml @@ -0,0 +1,85 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================================================================ +# Test generated for /products/{productId}_get for http method type GET in artillery framework +# RoostTestHash=52a171b52e +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + plugins: + expect: {} + overrideHeaders: + Authorization: "Bearer {{$processEnvironment.AUTH_TOKEN}}" + payload: + path: "products_productId_get_success.csv" + fields: + - "id" + - "name" + - "description" + - "price" + skipHeader: true + +scenarios: + - name: "Product Endpoints API Test" + flow: + - get: + url: "/products/{{ id }}" + headers: + x-api-key: "{{ $processEnvironment.API_KEY }}" + - expect: + - statusCode: 200 + - headers: + - name: "Content-Type" + value: "application/json" + - hasProperty: "id" + - equals: + id: "{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + - think: 1 + + - post: + url: "/products" + json: + id: "{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + - expect: + - statusCode: 201 + - hasProperty: "id" + - equals: + id: "{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + - think: 1 + + - put: + url: "/products/{{ id }}" + json: + id: "{{ id }}" + name: "{{ changedName }}" + description: "{{ changedDescription }}" + price: "{{ changedPrice }}" + - expect: + - statusCode: 200 + - hasProperty: "id" + - equals: + id: "{{ id }}" + name: "{{ changedName }}" + description: "{{ changedDescription }}" + price: "{{ changedPrice }}" + - think: 1 + + - delete: + url: "/products/{{ id }}" + - expect: + - statusCode: 204 + - think: 1 diff --git a/api_tests/products_productId_put_others.csv b/api_tests/products_productId_put_others.csv new file mode 100644 index 00000000..e656d42b --- /dev/null +++ b/api_tests/products_productId_put_others.csv @@ -0,0 +1,11 @@ +id,wrongName,wrongDescription,wrongPrice +1,Chips,Lays,120.0 +2,Banana,Chiquita Apple,1000 +3,/,/A weird name with slash,/10 +4,'Apple',A tasty fruit,Your price +5,007,A name not an id,9.99 +6,Orange, fresh orange,A negative price -5 +7,Empty string,,12 +8,Chips,Lays,Repeated ID +9,12345678,Very long id,22 +10,Pepsi,Soft drink,price in words diff --git a/api_tests/products_productId_put_others.yaml b/api_tests/products_productId_put_others.yaml new file mode 100644 index 00000000..9b6b66e7 --- /dev/null +++ b/api_tests/products_productId_put_others.yaml @@ -0,0 +1,86 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# Test generated for /products/{productId}_put for http method type PUT in artillery framework +# RoostTestHash=6762b8ac71 +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + phases: + - duration: 60 + arrivalRate: 10 + plugins: + expect: {} + payload: + path: "products_productId_put_others.csv" + fields: + - "id" + - "wrongName" + - "wrongDescription" + - "wrongPrice" + skipHeader: true + environments: + dev: + target: "http://dev.example.com" + headers: + Authorization: "Bearer {{ $processEnvironment.AUTH_TOKEN }}" + +scenarios: + - name: "Non-success product API responses" + flow: + - post: + url: "/products/a" + json: + id: "{{ id }}" + name: "{{ wrongName }}" + description: "{{ wrongDescription }}" + price: "{{ wrongPrice }}" + headers: + Content-Type: "application/json" + Authorization: "{{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 404 + think: 1 + - post: + url: "/products/1" + json: + id: "{{ id }}" + name: "" + description: "{{ wrongDescription }}" + price: "{{ wrongPrice }}" + headers: + Content-Type: "application/json" + Authorization: "{{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 400 + think: 1 + - post: + url: "/products/1" + json: + id: "{{ id }}" + name: "{{ wrongName }}" + description: "{{ wrongDescription }}" + price: "{{ wrongPrice }}" + headers: + Content-Type: "application/json" + Authorization: "InvalidToken" + expect: + - statusCode: 401 + think: 1 + - post: + url: "/non_existing_url" + json: + id: "{{ id }}" + name: "{{ wrongName }}" + description: "{{ wrongDescription }}" + price: "{{ wrongPrice }}" + headers: + Content-Type: "application/json" + Authorization: "{{ $processEnvironment.AUTH_TOKEN }}" + expect: + - statusCode: 404 + think: 1 diff --git a/api_tests/products_productId_put_success.csv b/api_tests/products_productId_put_success.csv new file mode 100644 index 00000000..5f84156e --- /dev/null +++ b/api_tests/products_productId_put_success.csv @@ -0,0 +1,11 @@ +id,name,description,price +1,Chips,Lays,120 +2,Chocolate,Dairy Milk,60 +3,Ice Cream,Vanilla,150 +4,Bread,Wheat,50 +5,Apple,Fresh Apples,80 +6,Eggs,Dozen,40 +7,Butter,Unsalted,90 +8,Sugar,White,30 +9,Milk,Whole,20 +10,Cheese,Cheddar,70 diff --git a/api_tests/products_productId_put_success.yaml b/api_tests/products_productId_put_success.yaml new file mode 100644 index 00000000..4bbc510b --- /dev/null +++ b/api_tests/products_productId_put_success.yaml @@ -0,0 +1,53 @@ +# ********RoostGPT******** + +# Test generated by RoostGPT for test dm-new-elastic using AI Type Azure Open AI and AI Model roostgpt-4-32k +# +# ================================VULNERABILITIES================================ +# Vulnerability: Sensitive Data Exposure +# Issue: Log entries reveal detailed information about the product update API call. The product's details including its ID and price are logged. This could be a security concern as it gives insight about the system's internal workings. Log entry lines: 1-2 +# Solution: Avoid logging detailed API payload information. In lieu of detailed logs, consider using unique identifiers which can be referred back to the data in a secure manner. +# +# Vulnerability: Insecure Direct Object References (IDOR) +# Issue: The product ID seems to be directly referenced in the API endpoint. Log entry line: 1 +# Solution: Consider replacing direct references with indirect references to prevent potential unauthorized access. +# +# ================================================================================ +# Test generated for /products/{productId}_put for http method type PUT in artillery framework +# RoostTestHash=6762b8ac71 +# +# + +# ********RoostGPT******** +config: + target: "{{ $processEnvironment.API_HOST }}" + phases: + - duration: 60 + arrivalRate: 5 + payload: + path: "products_productId_put_success.csv" + fields: ["id", "name", "description","price"] + skipHeader: true + plugins: + expect: {} + +scenarios: + - name: "Product Update sequence" + flow: + # PUT request on /products/{productId} endpoint to update product data + - put: + url: "/products/{{ id }}" + headers: + authorization: "Bearer {{ $processEnvironment.AUTH_TOKEN }}" + json: + id: "{{ id }}" + name: "{{ name }}" + description: "{{ description }}" + price: "{{ price }}" + - expect: + - statusCode: 200 + - hasProperty: "content.id" + - hasProperty: "content.name" + - hasProperty: "content.description" + - hasProperty: "content.price" + # Mimic user think-time + - think: 1