Manual input identification for SSRF

core/src/main/kotlin/org/evomaster/core/Main.kt

@@ -261,7 +261,7 @@ class Main {
 
             resetExternalServiceHandler(injector)
 
-            resetHTTPCallbackVerifier(injector)
+            stopHTTPCallbackVerifier(injector)
 
             val statistics = injector.getInstance(Statistics::class.java)
             val data = statistics.getData(solution)
@@ -1019,9 +1019,9 @@ class Main {
             externalServiceHandler.reset()
         }
 
-        private fun resetHTTPCallbackVerifier(injector: Injector) {
+        private fun stopHTTPCallbackVerifier(injector: Injector) {
             val httpCallbackVerifier = injector.getInstance(HttpCallbackVerifier::class.java)
-            httpCallbackVerifier.reset()
+            httpCallbackVerifier.stop()
         }
     }
 }

core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt

@@ -733,10 +733,12 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
         }
 
         // FIXME: Code never reach this when we recompute the fitness under SSRFAnalyser
-        //  So the faults never get marked.
-        //  ResourceRestFitness get invoked during the recompute
+        //  When the execution reach this during recomputing fitness, [HttpCallbackVerifier]
+        //  WireMock seems to be [null].
+        //  Due to that the method will never return true if any calls made.
         if (config.security && config.ssrf) {
             if (ssrfAnalyser.anyCallsMadeToHTTPVerifier(a)) {
+                // Code reach this point during the search, which is unnecessary during search
                 rcr.setVulnerableForSSRF(true)
             }
         }
@@ -1205,8 +1207,8 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
                         idMapper.getFaultDescriptiveId(DefinedFaultCategory.SSRF, it.getName())
                     )
                     fv.updateTarget(scenarioId, 1.0, it.positionAmongMainActions())
-                    val paramName = ssrfAnalyser.getVulnerableParameterName(it)
 
+                    val paramName = ssrfAnalyser.getVulnerableParameterName(it)
                     ar.addFault(DetectedFault(DefinedFaultCategory.SSRF, it.getName(), paramName))
                 }
             }

core/src/main/kotlin/org/evomaster/core/problem/security/service/HttpCallbackVerifier.kt

@@ -42,18 +42,24 @@ class HttpCallbackVerifier {
 
     @PreDestroy
     fun destroy() {
-        resetHTTPVerifier()
+        stop()
     }
 
-    fun initWireMockServer() {
+    fun prepare() {
+        if (isActive) {
+            return
+        }
+
         try {
             val config = WireMockConfiguration()
                 .extensions(ResponseTemplateTransformer(false))
                 .port(config.httpCallbackVerifierPort)
 
-            wireMockServer = WireMockServer(config)
-            wireMockServer!!.start()
-            wireMockServer!!.stubFor(getDefaultStub())
+            val wm = WireMockServer(config)
+            wm.start()
+            wm.stubFor(getDefaultStub())
+
+            wireMockServer = wm
         } catch (e: Exception) {
             throw RuntimeException(
                 e.message +
@@ -63,10 +69,9 @@ class HttpCallbackVerifier {
     }
 
     fun isCallbackURL(value: String): Boolean {
-        // Regex pattern looks for URL contains [HTTP_CALLBACK_VERIFIER] address and [HTTPCallbackVerifier]
-        // port, along with the path /sink/ and UUID as token generated to make the callback URL unique.
+        // Regex pattern looks for URL contains the pattern generated by the [HTTPCallbackVerifier].
         val pattern =
-            """^http:\/\/localhost:${config.httpCallbackVerifierPort}\/sink\/.{36}""".toRegex()
+            """^http:\/\/localhost:${config.httpCallbackVerifierPort}\/EM_SSRF_\d+$""".toRegex()
 
         return pattern.matches(value)
     }
@@ -75,7 +80,9 @@ class HttpCallbackVerifier {
      * Method generates a unique callback link to be used as payload for SSRF.
      */
     fun generateCallbackLink(name: String): String {
-        val ssrfPath = "/sink/${counter++}"
+        // FIXME: sink/EM_0 <- slash get replaced with a comma at some point, which fails
+        //  the verification based on the metadata
+        val ssrfPath = "/EM_SSRF_${counter++}"
 
         wireMockServer!!.stubFor(
             WireMock.any(WireMock.urlEqualTo(ssrfPath))
@@ -86,7 +93,6 @@ class HttpCallbackVerifier {
                         .withStatus(200)
                         .withBody("OK")
                 )
-
         )
 
         val link = "http://localhost:${wireMockServer!!.port()}$ssrfPath"
@@ -98,12 +104,12 @@ class HttpCallbackVerifier {
 
     /**
      * @param name represents the Action name
-     *
      * During stub creation, stubs are tagged with Action name in the metadata.
      */
     fun verify(name: String): Boolean {
         if (isActive) {
-            wireMockServer!!.allServeEvents
+            wireMockServer!!
+                .allServeEvents
                 .filter { event -> event.wasMatched }
                 .forEach { e ->
                     val matched = e.stubMapping.metadata
@@ -116,14 +122,14 @@ class HttpCallbackVerifier {
         return false
     }
 
-    fun resetHTTPVerifier() {
+    fun reset() {
         wireMockServer?.resetAll()
         wireMockServer?.stubFor(getDefaultStub())
         actionCallbackLinkMapping.clear()
         counter = 0
     }
 
-    fun reset() {
+    fun stop() {
         counter = 0
         wireMockServer?.stop()
         wireMockServer = null