starting with lightweight HTTP status code oracles

arcuri82 · arcuri82 · commit 138e6b9e08a9 · 2026-04-24T14:07:38.000+02:00
diff --git a/core/src/main/kotlin/org/evomaster/core/EMConfig.kt b/core/src/main/kotlin/org/evomaster/core/EMConfig.kt
@@ -2957,6 +2957,10 @@ class EMConfig {
     @Cfg("Extra checks on HTTP properties in returned responses, used as automated oracles to detect faults.")
     var httpOracles = false
 
+    @Experimental
+    @Cfg("Lightweight checks on HTTP status codes, e.g., a GET should not return a 201 Created.")
+    var statusOracles = false
+
     @Cfg("Validate responses against their schema, to check for inconsistencies. Those are treated as faults.")
     var schemaOracles = true
 
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/enterprise/ExperimentalFaultCategory.kt b/core/src/main/kotlin/org/evomaster/core/problem/enterprise/ExperimentalFaultCategory.kt
@@ -41,6 +41,18 @@ enum class ExperimentalFaultCategory(
         "TODO"),
 
 
+    HTTP_STATUS_NO_NON_STANDARD_CODES(950, "no-non-standard-codes", "invalidStatusCode", "TODO"),
+    HTTP_STATUS_NO_201_IF_DELETE(951, "no-201-if-delete", "201OnDelete",  "TODO"),
+    HTTP_STATUS_NO_201_IF_GET(952, "no-201-if-get", "201OnGet",  "TODO"),
+    HTTP_STATUS_NO_201_IF_PATCH(953, "no-201-if-patch", "201OnPatch",  "TODO"),
+    HTTP_STATUS_NO_204_IF_CONTENT(954, "no-204-if-content", "204WhenContent",  "TODO"),
+    HTTP_STATUS_NO_413_IF_NO_PAYLOAD(955, "no-413-if-no-payload", "413WhenNoPayload",  "TODO"),
+    HTTP_STATUS_NO_415_IF_NO_PAYLOAD(956, "no-415-if-no-payload", "415WhenNoPayload",  "TODO"),
+    HTTP_STATUS_NO_401_IF_NO_AUTH(957, "no-401-if-no-auth", "401WhenNoAuth",  "TODO"),
+    HTTP_STATUS_NO_403_IF_NO_401(958, "no-403-if-no-401", "403WhenNo401",  "TODO"),
+    HTTP_STATUS_HAS_406_IF_ACCEPT(959, "has-406-if-accept", "406WhenValid",  "TODO"),
+
+
     //3xx: GraphQL
     GQL_ERROR_FIELD(920, "Error Field", "returnedErrors",
         "TODO"),
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/HttpStatusOracle.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/oracle/HttpStatusOracle.kt
@@ -0,0 +1,92 @@
+package org.evomaster.core.problem.rest.oracle
+
+import com.webfuzzing.commons.faults.FaultCategory
+import org.evomaster.core.problem.enterprise.ExperimentalFaultCategory
+import org.evomaster.core.problem.rest.data.HttpVerb
+import org.evomaster.core.problem.rest.data.RestCallAction
+import org.evomaster.core.problem.rest.data.RestCallResult
+import org.evomaster.core.problem.rest.param.BodyParam
+
+/**
+ * Series of oracles that can be evaluated directly on the HTTP responses based on the actual retrieved status code.
+ * Some checks might depend on the API schema and/or the input request.
+ * These checks are based on work done in:
+ *
+ * https://github.com/alixdecr/scoas
+ * https://github.com/alixdecr/scoas/blob/main/evaluation/status-code-rules.md
+ *
+ *
+ * Not all oracles can be translated to a dynamic version. Here, we just support the following:
+ * no-non-standard-codes
+ * no-201-if-delete
+ * no-201-if-get
+ * no-201-if-patch
+ * no-204-if-content
+ * no-413-if-no-payload
+ * no-415-if-no-payload
+ * no-401-if-no-auth (schema)
+ * no-403-if-no-401 (schema)
+ * has-406-if-accept (schema)
+ *
+ *
+ * IMPORTANT: in contrast to what done in [HttpSemanticsOracle], here there is no need to construct any test case
+ * on purpose with specific properties.
+ * These checks are supposed to be lightweight, and so could be checked on each fitness evaluation.
+ */
+object HttpStatusOracle {
+
+
+    fun checkOracles(call: RestCallAction, result: RestCallResult) : List<FaultCategory>{
+
+        val faults = mutableListOf<FaultCategory>()
+
+        val status = result.getStatusCode()
+            ?: return faults // all oracles depend on checking the status code
+
+        if(status !in 100..599){
+            faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_NON_STANDARD_CODES)
+        }
+
+        val verb = call.verb
+
+        if(status == 201){
+            when(verb){
+                HttpVerb.GET -> faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_201_IF_GET)
+                HttpVerb.DELETE -> faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_201_IF_DELETE)
+                HttpVerb.PATCH -> faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_201_IF_PATCH)
+                else -> {}
+            }
+        }
+
+        if(status == 204 && verb == HttpVerb.GET){
+            faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_204_IF_CONTENT)
+        }
+
+        val bodyParam = call.parameters.filterIsInstance<BodyParam>()
+            .firstOrNull()
+
+        val hasBody = bodyParam != null && bodyParam.primaryGene().getValueAsRawString().isNotEmpty()
+
+        if(status == 413 && !hasBody){
+            faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_413_IF_NO_PAYLOAD)
+        }
+
+        if(status == 415 && !hasBody){
+            faults.add(ExperimentalFaultCategory.HTTP_STATUS_NO_415_IF_NO_PAYLOAD)
+        }
+
+        if(status == 406 && !call.isForRobustnessTesting()){
+            faults.add(ExperimentalFaultCategory.HTTP_STATUS_HAS_406_IF_ACCEPT)
+        }
+
+        if(status == 401){
+            //TODO
+        }
+
+        if(status == 403){
+            //TODO
+        }
+
+        return faults
+    }
+}
diff --git a/core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt b/core/src/main/kotlin/org/evomaster/core/problem/rest/service/fitness/AbstractRestFitness.kt
@@ -25,6 +25,7 @@ import org.evomaster.core.problem.rest.data.RestCallResult
 import org.evomaster.core.problem.rest.data.RestIndividual
 import org.evomaster.core.problem.rest.link.RestLinkValueUpdater
 import org.evomaster.core.problem.rest.oracle.HttpSemanticsOracle
+import org.evomaster.core.problem.rest.oracle.HttpStatusOracle
 import org.evomaster.core.problem.rest.oracle.RestSchemaOracle
 import org.evomaster.core.problem.rest.oracle.RestSecurityOracle
 import org.evomaster.core.problem.rest.param.BodyParam
@@ -386,13 +387,31 @@ abstract class AbstractRestFitness : HttpWsFitness<RestIndividual>() {
                 fv.updateTarget(statusId, 1.0, it)
 
                 handleAdvancedBlackBoxCriteria(fv, actions[it], result)
+                handleHttpStatusOracles(fv, actions[it], result, it)
 
                 val location5xx: String? = getlocation5xx(status, additionalInfoList, it, result, name)
                 handleAdditionalStatusTargetDescription(result, fv, status, name, it, location5xx)
                 handleAuthTargets(status, actions, it, name, fv)
             }
     }
 
+    private fun handleHttpStatusOracles(fv: FitnessValue, call: RestCallAction, result: RestCallResult, index: Int) {
+        if(!config.statusOracles){
+            return
+        }
+
+        val name = call.getName()
+
+        //TODO schema input
+        HttpStatusOracle.checkOracles(call, result)
+            .filter { config.isEnabledFaultCategory(it) }
+            .forEach {
+                val scenarioId = idMapper.handleLocalTarget(idMapper.getFaultDescriptiveId(it, name))
+                fv.updateTarget(scenarioId, 1.0, index)
+                result.addFault(DetectedFault(it, name, null))
+            }
+    }
+
     private fun handleAuthTargets(
         status: Int,
         actions: List<RestCallAction>,
diff --git a/core/src/main/kotlin/org/evomaster/core/search/action/Action.kt b/core/src/main/kotlin/org/evomaster/core/search/action/Action.kt
@@ -41,6 +41,15 @@ abstract class Action(children: List<StructuralElement>) : ActionComponent(
      */
     abstract fun seeTopGenes(): List<Gene>
 
+    /**
+     * Check if this action has invalid data on purpose, done or Robustness Testing
+     */
+    open fun isForRobustnessTesting() : Boolean{
+        //TODO currently this is just a place-holder, needed for code that we already know will
+        //depend on this check
+        return false
+    }
+
     fun seeAllGenes(): List<Gene> = seeTopGenes().flatMap {g ->  g.flatView() }
 
     final override fun copy(): Action {
diff --git a/docs/options.md b/docs/options.md
@@ -328,6 +328,7 @@ There are 3 types of options:
 |`sqliBaselineMaxResponseTimeMs`| __Int__. Maximum allowed baseline response time (in milliseconds) before the malicious payload is applied. *Depends on*: `sqli=true`. *Default value*: `2000`.|
 |`sqliInjectedSleepDurationMs`| __Int__. Injected sleep duration (in seconds) used inside the malicious payload to detect time-based vulnerabilities. *Depends on*: `sqli=true`. *Default value*: `5000`.|
 |`ssrf`| __Boolean__. To apply SSRF detection as part of security testing. *Depends on*: `security=true`. *Default value*: `false`.|
+|`statusOracles`| __Boolean__. Lightweight checks on HTTP status codes, e.g., a GET should not return a 201 Created. *Default value*: `false`.|
 |`structureMutationProFS`| __Double__. Specify a probability of applying structure mutator during the focused search. *Constraints*: `probability 0.0-1.0`. *Default value*: `0.0`.|
 |`structureMutationProbStrategy`| __Enum__. Specify a strategy to handle a probability of applying structure mutator during the focused search. *Valid values*: `SPECIFIED, SPECIFIED_FS, DPC_TO_SPECIFIED_BEFORE_FS, DPC_TO_SPECIFIED_AFTER_FS, ADAPTIVE_WITH_IMPACT`. *Default value*: `SPECIFIED`.|
 |`sutDistEnvVarName`| __String__. Specify name of the environment variable that provides the the base distribution directory of the SUT, e.g., 'dist' directory of WFD. *Default value*: `""`.|
