Restler v6.1 - initial commit

Author: marina-p

.gitignore

@@ -1,3 +1,13 @@
+## Ignore Python development temporary files
+
+venv/
+env/
+*.pyc
+mprofile_*
+
+## Ignore VS Code settings
+.vscode/settings.json
+
 ## Ignore Visual Studio temporary files, build results, and
 ## files generated by popular Visual Studio add-ons.
 ##

.vscode/launch.json

@@ -0,0 +1,204 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+        {
+            "name": "Python: Current File",
+            "type": "python",
+            "request": "launch",
+            "program": "${file}"
+        },
+        {
+            "name": "Python: Payload body checker",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}\\restler\\restler.py",
+            "args" :[
+                "--fuzzing_mode",
+                "directed-smoke-test",
+                "--restler_grammar",
+                "c:\\restler\\restlerpayloadbody\\compile\\grammar.py",
+                "--custom_mutations",
+                "c:\\restler\\restlerpayloadbody\\compile\\dict.json",
+                "--settings",
+                "c:\\restler\\restlerpayloadbody\\settings_custom.json",
+                "--enable_checkers",
+                "payloadbody",
+                "--garbage_collection_interval",
+                "30"
+            ]
+        },
+        {
+            "name": "Python: examples checker",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}\\restler\\restler.py",
+            "args" :[
+                "--fuzzing_mode",
+                "directed-smoke-test",
+                "--restler_grammar",
+                "c:\\restler\\restlerexampleschecker\\compile\\grammar.py",
+                "--custom_mutations",
+                "c:\\restler\\restlerexampleschecker\\compile\\dict.json",
+                "--settings",
+                "c:\\restler\\restlerexampleschecker\\settings.json",
+                "--enable_checkers",
+                "examples",
+                "--no_tokens_in_logs",
+                "t",
+                "--garbage_collection_interval",
+                "30"
+            ]
+        },
+        {
+            "name": "Python: unit test",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}\\restler\\restler.py",
+            "args" :[
+                "--fuzzing_mode",
+                "directed-smoke-test",
+                "--restler_grammar",
+                "restler\\unit_tests\\log_baseline_test_files\\test_grammar.py",
+                "--custom_mutations",
+                "restler\\unit_tests\\log_baseline_test_files\\test_dict.json",
+                "--settings",
+                "c:\\restler\\restlertest\\test_settings.json",
+                "--use_test_socket",
+                "--garbage_collection_interval", "30",
+                "--target_ip", "1", "--target_port", "1"
+            ]
+        },
+        {
+            "name": "Python: restler.py -h",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}\\restler\\restler.py",
+            "args" :[
+                "-h"
+            ],
+            "stopOnEntry": true,
+            "console": "externalTerminal",
+            "cwd": "c:\\temp\\restler"
+        },
+        {
+            "name": "Python: restler.py",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}\\restler\\restler.py",
+            "args" :[
+                "--swagger_specification",
+                "c:\\temp\\restler\\demo_server.json",
+                "--inspect_grammar",
+                "sdf"
+            ],
+            "stopOnEntry": true,
+            "console": "externalTerminal",
+            "cwd": "c:\\temp\\restler"
+        },
+        {
+            "name": "Python: Attach",
+            "type": "python",
+            "request": "attach",
+            "localRoot": "${workspaceFolder}",
+            "remoteRoot": "${workspaceFolder}",
+            "port": 3000,
+            "secret": "my_secret",
+            "host": "localhost"
+        },
+        {
+            "name": "Python: Terminal (integrated)",
+            "type": "python",
+            "request": "launch",
+            "program": "${file}",
+            "console": "integratedTerminal"
+        },
+        {
+            "name": "Python: Terminal (external)",
+            "type": "python",
+            "request": "launch",
+            "program": "${file}",
+            "console": "externalTerminal"
+        },
+        {
+            "name": "Python: Django",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/manage.py",
+            "args": [
+                "runserver",
+                "--noreload",
+                "--nothreading"
+            ],
+            "debugOptions": [
+                "RedirectOutput",
+                "Django"
+            ]
+        },
+        {
+            "name": "Python: Flask (0.11.x or later)",
+            "type": "python",
+            "request": "launch",
+            "module": "flask",
+            "env": {
+                "FLASK_APP": "${workspaceFolder}/app.py"
+            },
+            "args": [
+                "run",
+                "--no-debugger",
+                "--no-reload"
+            ]
+        },
+        {
+            "name": "Python: Module",
+            "type": "python",
+            "request": "launch",
+            "module": "module.name"
+        },
+        {
+            "name": "Python: Pyramid",
+            "type": "python",
+            "request": "launch",
+            "args": [
+                "${workspaceFolder}/development.ini"
+            ],
+            "debugOptions": [
+                "RedirectOutput",
+                "Pyramid"
+            ]
+        },
+        {
+            "name": "Python: Watson",
+            "type": "python",
+            "request": "launch",
+            "program": "${workspaceFolder}/console.py",
+            "args": [
+                "dev",
+                "runserver",
+                "--noreload=True"
+            ]
+        },
+        {
+            "name": "Python: All debug Options",
+            "type": "python",
+            "request": "launch",
+            "pythonPath": "${command:python.interpreterPath}",
+            "program": "${file}",
+            "module": "module.name",
+            "env": {
+                "VAR1": "1",
+                "VAR2": "2"
+            },
+            "envFile": "${workspaceFolder}/.env",
+            "args": [
+                "arg1",
+                "arg2"
+            ],
+            "debugOptions": [
+                "RedirectOutput"
+            ]
+        }
+    ]
+}

CODE_OF_CONDUCT.md

@@ -0,0 +1,9 @@
+# Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [[email protected]](mailto:[email protected]) with questions or concerns

LICENSE

@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE

README.md

@@ -0,0 +1,126 @@
+# RESTler
+
+## What is RESTler?
+
+RESTler is the *first stateful REST API fuzzing tool* for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. For a given cloud service with an OpenAPI/Swagger specification, RESTler analyzes its entire specification, and then generates and executes tests that exercise the service through its REST API.
+
+RESTler intelligently infers producer-consumer dependencies among request types from the Swagger specification; and during testing, it checks for specific bugs and dynamically learns from prior service responses how the service behaves. This intelligence allows RESTler to explore deeper service states reachable only through specific request sequences and to find more bugs.
+
+RESTler is described in these peer-reviewed research papers:
+
+1. [RESTler: Stateful REST API Fuzzing](https://patricegodefroid.github.io/public_psfiles/icse2019.pdf) (ICSE'2019)
+2. [Checking Security Properties of Cloud Service REST APIs](https://patricegodefroid.github.io/public_psfiles/icst2020.pdf) (ICST'2020)
+3. [Differential Regression Testing for REST APIs​](https://patricegodefroid.github.io/public_psfiles/issta2020.pdf) (ISSTA'2020)
+4. [Intelligent REST API Data Fuzzing​​](https://patricegodefroid.github.io/public_psfiles/fse2020.pdf) (FSE'2020)
+
+RESTler was created at Microsoft Research and is still under active development.
+
+![RESTler architecture](./docs/user-guide/RESTler-arch.png)
+
+
+## Setting up RESTler
+
+RESTler was designed to run on 64-bit machines.
+
+### **Build instructions**
+
+#### Prerequisites
+
+- Windows: [.NET core SDK 3.1](https://dotnet.microsoft.com/download/dotnet-core?utm_source=getdotnetcorecli&utm_medium=referral) or higher, Powershell 5.1 or higher
+- Linux: [.NET core SDK 3.1](https://dotnet.microsoft.com/download/dotnet-core?utm_source=getdotnetcorecli&utm_medium=referral) or higher, [PowerShell 7 Core](https://docs.microsoft.com/en-us/powershell/scripting/install/installing-powershell-core-on-linux?view=powershell-7)
+
+Create a directory where you'd like to place the RESTler binaries:
+
+```mkdir restler_bin```
+
+Switch to the repo root directory and run the following PowerShell script:
+
+```./build_restler.ps1 -destDir <full path to RESTler bin above>```
+
+### **Binary-drop instructions**
+
+RESTler binary drops are coming soon.
+
+#### Prerequisites
+
+* Windows: [.NET core SDK 3.1](https://dotnet.microsoft.com/download/dotnet-core?utm_source=getdotnetcorecli&utm_medium=referral) or higher, [Python 3.8.2](https://www.python.org/downloads/windows/) or higher.
+* Linux: [.NET core SDK 3.1](https://dotnet.microsoft.com/download/dotnet-core?utm_source=getdotnetcorecli&utm_medium=referral) or higher, Python 3.8.2 or higher.
+
+
+## Using RESTler
+
+RESTler runs in 4 main modes (in order):
+
+1. **Compile:** from a Swagger JSON specification (and optionally examples), generate a RESTler grammar. See [Compiling](./docs/user-guide/Compiling.md).
+2. **Test:** execute quickly all of the endpoints+methods in a compiled RESTler grammar for debugging the test setup and compute what parts of the Swagger spec are covered. This mode is also called a *smoketest*.
+See [Testing](./docs/user-guide/Testing.md). To use custom test engine settings, see [Test Engine Settings](./docs/user-guide/SettingsFile.md).
+3. **Fuzz-lean:** execute once every endpoint+method in a compiled RESTler grammar with a default set of checkers to see if bugs can be found quickly. See [Fuzzing](./docs/user-guide/Fuzzing.md).
+4. **Fuzz:** bug hunting - explore a RESTler fuzzing grammar in smart breadth-first-search mode (deeper search mode) for finding more bugs.
+**Warning:** This type of fuzzing is more aggressive and may create outages in the service under test if the service is poorly implemented (e.g., fuzzing might create resource leaks, perf degradation, backend corruptions, etc.).
+See [Fuzzing](./docs/user-guide/Fuzzing.md).
+
+## Quick Start
+
+For a quick intro with simple examples, see this [Tutorial](./docs/user-guide/TutorialDemoServer.md).
+
+To quickly try RESTler on your API, see [Quick Start](./docs/user-guide/QuickStart.md).
+
+## Bugs found by RESTler
+There are currently two categories of bugs found by RESTler.
+
+- **Error code**: currently, any time a response with status code ```500``` ("Internal Server Error") is received, a bug is reported.
+- **Checkers**: each checker tries to trigger specific bugs by executing targeted additional requests or sequences of requests at certain points during fuzzing, determined by context.  Some checkers try to find additional 500s, while other checkers try to find specific logic bugs such as resource leaks or hierarchy violations.  For a full description of checkers, see [Checkers](./docs/user-guide/Checkers.md).
+
+When a bug is found, RESTler reports bugs triaged in bug buckets, and provides a replay log that can be used to reproduce the bug (see [Replay](./docs/user-guide/Replay.md)).
+
+
+## Best Practices​ (Advanced Topics)
+
+For tips on using RESTler effectively, please see [Best Practices](./docs/user-guide/BestPractices.md) and [Improving Swagger Coverage](./docs/user-guide/ImprovingCoverage.md).
+
+See also these [Frequently Asked Questions](./docs/user-guide/FAQ.md).
+
+
+## Contributing
+
+This project welcomes contributions and suggestions. Most contributions require you to
+agree to a Contributor License Agreement (CLA) declaring that you have the right to,
+and actually do, grant us the rights to use your contribution. For details, visit
+https://cla.microsoft.com.
+
+When you submit a pull request, a CLA-bot will automatically determine whether you need
+to provide a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the
+instructions provided by the bot. You will only need to do this once across all repositories using our CLA.
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+or contact [[email protected]](mailto:[email protected]) with any additional questions or comments.
+
+For more information, see [Contributing.md](./docs/contributor-guide/Contributing.md).
+
+## Trademarks
+
+This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
+
+## Data collection
+
+The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft's privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.
+
+For more information, see [Telemetry.md](./docs/user-guide/Telemetry.md).
+
+## Reporting Security Issues
+
+Security issues and bugs should be reported privately, via email, to the
+Microsoft Security Response Center (MSRC) at
+[[email protected]](mailto:[email protected]). You should receive a
+response within 24 hours. If for some reason you do not, please follow up via
+email to ensure we received your original message. Further information,
+including the [MSRC PGP](https://technet.microsoft.com/en-us/security/dn606155)
+key, can be found in the [Security TechCenter](https://technet.microsoft.com/en-us/security/default).
+
+For additional details, see [Security.md](Security.md).
+
+
+# Privacy & Cookies
+
+https://go.microsoft.com/fwlink/?LinkId=521839