API Fuzzing Fails with Arithmetic Overflow Exception when service contains Number parameter
Summary
I have API Fuzzing integrated into 2 of our REST service projects, using OpenAPI. In both cases, the scans are failing with a Testing failed: Arithmetic operation resulted in an overflow exception, which kills the job before it test all endpoints. This appears to be caused by GET endpoints that accept number value types. When these endpoints are removed from the service, the fuzz job runs successfully. I tried playing with the format of the number type, changing it to double, float, or leaving it blank, but the job failed with all combinations.
Steps to reproduce
Create a REST service using Swagger to implement the OpenAPI spec. Add a REST endpoint that takes a number in a parameter, similar to below:
"/eas-uom/rest/v1/uom/convert/name": {
"get": {
"tags": [
"uom-endpoints"
],
"summary": "Convert the value from UOM From Name to UOM To Name",
"operationId": "convertUOMNameUsingGET",
"produces": [
"text/plain"
],
"parameters": [
{
"name": "fromName",
"in": "query",
"description": "UOM From Name",
"required": true,
"type": "string"
},
{
"name": "toName",
"in": "query",
"description": "UOM To Name",
"required": true,
"type": "string"
},
{
"name": "value",
"in": "query",
"description": "Value to Convert",
"required": true,
"type": "number",
"format": "double"
}
],
"responses": {
"200": {
"description": "Successful conversion",
"schema": {
"type": "string"
}
},
"404": {
"description": "UOM Definition or Conversion not found"
},
"500": {
"description": "Server error"
}
}
}
}In .gitlab-ci.yml:
apifuzzer_fuzz:
variables:
FUZZAPI_PROFILE: Quick-10
FUZZAPI_OPENAPI: https://ingress.testcluster.bsil/eas-uom/v2/api-docs
FUZZAPI_TARGET_URL: https://ingress.testcluster.bsil/
FUZZAPI_VERBOSE: "1"What is the current bug behavior?
The API Fuzz job fails with this error and terminates early without scanning all endpoints:
2021-03-29 14:21:42,089 [DEBUG] >>session_error_reason
2021-03-29 14:21:42,091 [ERROR] API Security: Testing failed: Arithmetic operation resulted in an overflow.
2021-03-29 14:21:42,091 [INFO ] API Security: eexit(1)
2021-03-29 14:21:42,091 [INFO ] API Security: Ending sessionWhat is the expected correct behavior?
Job runs to completion.
Relevant logs and/or screenshots
2021-03-29 14:19:40,205 [INFO ] worker-entry: Gitlab API Security Worker Entry
2021-03-29 14:19:40,205 [INFO ] worker-entry: --------------------------------
2021-03-29 14:19:40,205 [INFO ] worker-entry:
2021-03-29 14:19:40,205 [INFO ] worker-entry: version: 1.6.114
2021-03-29 14:19:40,205 [INFO ] worker-entry: api: http://apifuzzer:80
2021-03-29 14:19:40,205 [INFO ] worker-entry: config: .gitlab-api-fuzzing.yml
2021-03-29 14:19:40,205 [INFO ] worker-entry: openapi: https://ingress.testcluster.bsil/eas-uom/v2/api-docs
2021-03-29 14:19:40,205 [INFO ] worker-entry: profile: Quick-10
2021-03-29 14:19:40,210 [INFO ] worker-entry: project: eas/eas-uom
2021-03-29 14:19:40,210 [INFO ] worker-entry: security report: gl-api-fuzzing-report.json
2021-03-29 14:19:40,211 [INFO ] worker-entry: security report asset path: assets
2021-03-29 14:19:40,211 [INFO ] worker-entry: ci_project_url: https://gitlab.gamma.of.bsil/eas/eas-uom
2021-03-29 14:19:40,211 [INFO ] worker-entry: ci_job_id: 12249
2021-03-29 14:19:40,211 [INFO ] worker-entry: service_start_timeout: 300
2021-03-29 14:19:40,211 [INFO ] worker-entry: target_url: https://ingress.testcluster.bsil/
2021-03-29 14:19:40,211 [INFO ] worker-entry: timeout: 30
2021-03-29 14:19:40,211 [INFO ] worker-entry: verbose: 1
2021-03-29 14:19:40,211 [INFO ] worker-entry:
2021-03-29 14:19:40,211 [INFO ] worker-entry: Waiting for API Security (http://apifuzzer:80) to become available...
2021-03-29 14:19:40,248 [DEBUG] worker-entry: wait_for_url('http://apifuzzer:80'), waiting
2021-03-29 14:19:42,172 [DEBUG] worker-entry: wait_for_url._check_status_code, response: <Response [200]>
2021-03-29 14:19:42,172 [DEBUG] worker-entry: wait_for_url._check_status_code, response.status_code: '200'
2021-03-29 14:19:42,172 [DEBUG] worker-entry: wait_for_url('http://apifuzzer:80'), success
2021-03-29 14:19:42,172 [INFO ] worker-entry: Waiting for scan target (https://ingress.testcluster.bsil/) to become available...
2021-03-29 14:19:42,173 [DEBUG] worker-entry: wait_for_url('https://ingress.testcluster.bsil/'), waiting
/usr/lib/python3.8/site-packages/urllib3/connectionpool.py:979: InsecureRequestWarning: Unverified HTTPS request is being made to host 'ingress.testcluster.bsil'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
warnings.warn(
2021-03-29 14:19:42,211 [DEBUG] worker-entry: wait_for_url._check_status_code, response: <Response [404]>
2021-03-29 14:19:42,211 [DEBUG] worker-entry: wait_for_url._check_status_code, response.status_code: '404'
2021-03-29 14:19:42,212 [DEBUG] worker-entry: wait_for_url('https://ingress.testcluster.bsil/'), success
2021-03-29 14:19:42,214 [DEBUG] worker-entry: CI Cmd: gl-apifuzzing-ci --api http://apifuzzer:80 --config .gitlab-api-fuzzing.yml --project eas/eas-uom --profile Quick-10 --report gl-api-fuzzing-report.json --ci_project_url https://gitlab.gamma.of.bsil/eas/eas-uom --ci_job_id 12249 --asset_path assets --verbose --exit_code_failure 0 --exit_code_error 1 --automation_cmd gl-apifuzzing-runner -v -u "https://ingress.testcluster.bsil/" swagger "https://ingress.testcluster.bsil/eas-uom/v2/api-docs"
2021-03-29 14:19:42,506 [INFO ] API Security: GitLab API Security Integration
2021-03-29 14:19:42,506 [INFO ] API Security:
2021-03-29 14:19:42,507 [INFO ] API Security: project: eas/eas-uom
2021-03-29 14:19:42,508 [INFO ] API Security: profile: Quick-10
2021-03-29 14:19:42,508 [INFO ] API Security: api: http://apifuzzer:80
2021-03-29 14:19:42,508 [INFO ] API Security: automation_cmd: gl-apifuzzing-runner -v -u "https://ingress.testcluster.bsil/" swagger "https://ingress.testcluster.bsil/eas-uom/v2/api-docs"
2021-03-29 14:19:42,508 [INFO ] API Security: exit_code_ok: 0
2021-03-29 14:19:42,508 [INFO ] API Security: exit_code_failure: 0
2021-03-29 14:19:42,508 [INFO ] API Security: exit_code_error: 1
2021-03-29 14:19:42,508 [INFO ] API Security: report: gl-api-fuzzing-report.json
2021-03-29 14:19:42,508 [INFO ] API Security: syslog_enabled: False
2021-03-29 14:19:42,508 [INFO ] API Security: noverify: False
2021-03-29 14:19:42,508 [INFO ] API Security: using config file: .gitlab-api-fuzzing.yml
2021-03-29 14:19:42,508 [INFO ] API Security: Starting session (1/120)
2021-03-29 14:19:42,508 [DEBUG] >>session_setup
2021-03-29 14:20:00,808 [INFO ] API Security Version: 1.6.114
2021-03-29 14:20:00,808 [INFO ] Session ID: 684882d6-0a9e-4331-a63e-a7f000c3a9f4
2021-03-29 14:20:00,808 [INFO ] Proxy URL: http://apifuzzer:8000/
2021-03-29 14:20:00,808 [INFO ] Script Environment has 0 items:
2021-03-29 14:20:00,808 [DEBUG] >>verify_proxy_access
2021-03-29 14:20:00,883 [INFO ] API Security: Launching test automation
2021-03-29 14:20:01,895 [INFO ] API Security: Waiting for testing to complete
2021-03-29 14:20:11,906 [DEBUG] >>session_state
2021-03-29 14:21:22,056 [DEBUG] >>session_state
2021-03-29 14:21:32,071 [DEBUG] >>session_state
2021-03-29 14:21:42,085 [DEBUG] >>session_state
2021-03-29 14:21:42,089 [DEBUG] >>session_error_reason
2021-03-29 14:21:42,091 [ERROR] API Security: Testing failed: Arithmetic operation resulted in an overflow.
2021-03-29 14:21:42,091 [INFO ] API Security: eexit(1)
2021-03-29 14:21:42,091 [INFO ] API Security: Ending session
2021-03-29 14:21:42,091 [DEBUG] >>session_teardown
2021-03-29 14:21:42,155 [INFO ] API Security: Generating security report as 'gl-api-fuzzing-report.json'.Output of checks
GitLab environment info
On-prem gitlab installation:
Gitlab runner version: 13.9.0 (2ebc4dc4)
GitLab Enterprise Edition 13.8.4-ee