Merge pull request #1388 from WebFuzzing/ssrf-url-name-test

arcuri82 · web-flow · commit ae2abed9d34a · 2025-11-26T13:22:16.000+01:00
Extracted URL names from ApiGuru as test SSRF input detection
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/security/service/SSRFAnalyser.kt b/core/src/main/kotlin/org/evomaster/core/problem/security/service/SSRFAnalyser.kt
@@ -203,7 +203,7 @@ class SSRFAnalyser {
      * A private method to identify parameter is a potentially holds URL value
      * using a Regex based approach.
      */
-    private fun manualClassifier(name: String, description: String? = null): Boolean {
+    fun manualClassifier(name: String, description: String? = null): Boolean {
         if (potentialUrlParamNames.contains(name.lowercase())) {
             return true
         }
diff --git a/core/src/test/kotlin/org/evomaster/core/problem/security/URLNameTest.kt b/core/src/test/kotlin/org/evomaster/core/problem/security/URLNameTest.kt
@@ -0,0 +1,48 @@
+package org.evomaster.core.problem.security
+
+import org.evomaster.core.problem.security.service.SSRFAnalyser
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Test
+import java.io.File
+
+class URLNameTest {
+
+    private val fileName = "src/test/resources/security/names.csv"
+
+    private fun loadURLNames(): List<Triple<String, String, Boolean>> {
+        val output = mutableListOf<Triple<String, String, Boolean>>()
+        val file = File(fileName)
+        if (!file.exists()) {
+            throw Exception("File does not exist")
+        }
+
+        try {
+            file.bufferedReader().use { reader ->
+                // We ignore the handling of CSV header since it's a custom file
+                reader.readLines().forEach { line ->
+                    val values = line.split(",")
+                    if (values.size != 3) {
+                        throw Exception("Wrong number of values")
+                    }
+                    output.add(Triple(values[0], values[1], values[2].toInt() == 1))
+                }
+            }
+        } catch (e: Exception) {
+            throw Exception("Error reading CSV file: ${e.message}")
+        }
+
+        return output
+    }
+
+
+    @Test
+    fun testURLNames() {
+        val sa = SSRFAnalyser()
+        val urlNames = loadURLNames()
+
+        urlNames.forEach { v->
+            assertEquals(v.third, sa.manualClassifier(v.first, v.second))
+        }
+    }
+
+}
diff --git a/core/src/test/resources/security/names.csv b/core/src/test/resources/security/names.csv

Original file line number	Diff line number	Diff line change
`@@ -203,7 +203,7 @@ class SSRFAnalyser {`
`203`	`203`	`* A private method to identify parameter is a potentially holds URL value`
`204`	`204`	`* using a Regex based approach.`
`205`	`205`	`*/`
`206`		`- private fun manualClassifier(name: String, description: String? = null): Boolean {`
	`206`	`+ fun manualClassifier(name: String, description: String? = null): Boolean {`
`207`	`207`	`if (potentialUrlParamNames.contains(name.lowercase())) {`
`208`	`208`	`return true`
`209`	`209`	`}`