Parameters on "Path Item" level is not getting accepted

[mbeckerle-xqueue]

Describe the bug

I am working with the Fuzzer and while it is working well for resources without path parameters, I experienced an exception if I include a path parameter directly under a resource (called "path item" in the documentation of OpenAPI). The idea is that for a resource like /blacklists/{blacklistId} it is not making sense to add a PATH-parameter "blacklistId" to each single CRUD method, instead it should be defined one level above. Both would be valid syntax but my parser adds it to the path item and not the operations and as the document is about 7.000 lines and I cannot find a way to make the parser add it to each operation, it would be nice if you could fix this.

Reference to documentation

Each template expression in the path MUST correspond to a path parameter that is included in the Path Item itself and/or in each of the Path Item’s Operations. An exception is if the path item is empty, for example due to ACL constraints, matching path parameters are not required.

See: https://spec.openapis.org/oas/v3.1.0#path-templating

This error has the same log entry like described here: #46
Maybe it has a similar or the same cause.

APIFuzzer debug log

3496041 [  DEBUG] APIFuzzer.JsonSectionAbove-schema [move_json_parts.py:40 -             _resolve ]: Processed: schemas -> {"schemas": {"Blacklist": {"properties": {"entries": {"items": {"type": "string"}, "type": "array"},
3496041 [  DEBUG] APIFuzzer.JsonSectionAbove-schema [move_json_parts.py:40 -             _resolve ]: Processed: components -> {"components": {"schemas": {"Blacklist": {"properties": {"entries": {"items": {"type": "string"}, "t
3496041 [   INFO] APIFuzzer.OpenAPITemplateGenerator [openapi_template_generator.py:108 - process_api_resources ]: Start preparation
3496041 [  ERROR] APIFuzzer [fuzzer.py:47 -              prepare ]: Exception: 'list' object has no attribute 'get'
Traceback (most recent call last):
  File "/home/mysecretusername/APIFuzzer/APIFuzzer/apifuzzer/fuzzer.py", line 45, in prepare
    template_generator.process_api_resources()
  File "/home/mysecretusername/APIFuzzer/APIFuzzer/apifuzzer/openapi_template_generator.py", line 109, in process_api_resources
    self._process_request_body()
  File "/home/mysecretusername/APIFuzzer/APIFuzzer/apifuzzer/openapi_template_generator.py", line 123, in _process_request_body
    paths[resource][method].get("requestBody", {}).get("content", [])
AttributeError: 'list' object has no attribute 'get'
Unexpected exception happened during fuzz test preparation: 'list' object has no attribute 'get'. Feel free to report the issue

Related API definition

openapi: 3.0.3
info:
  title: Generated API
  version: "1.0"
servers:
  - url: https://mysecretserver/1.0
paths:
  /blacklists/{blacklistId}:
    get:
      responses:
        "200":
          description: OK
          content:
            text/xml:
              schema:
                $ref: '#/components/schemas/Blacklist'
    parameters:
      - in: path
        name: blacklistId
        schema:
            format: int64
            type: integer
        required: true
        description: The ID of the blacklist to retrieve details on
components:
  schemas:
    Blacklist:
      type: object
      properties:
        id:
          format: int64
          type: integer
        name:
          type: string
        entries:
          type: array
          items:
            type: string

In this simple example I added a path parameter 'blacklistId' to be used for all future CRUD methods. Actually I did this not by myself but this was generated by some generator and the output can be used to e.g. provide a graphical documentation and everything looks fine.

First I tried different variations from the documentation, e.g. changing order of attributes, testing a string instead of a long but as soon as I add the parameter to the yaml, the fuzzer quits. I also tried renaming the parameter as 'blacklistid' but with no success. I can remove the whole Schema and all references to it,

Then I came up testing if it is a difference if I move the parameter description to the path item's operation:

---
openapi: 3.0.3
info:
  title: Generated API
  version: "1.0"
servers:
  - url: https://mysecretserver/1.0
paths:
  /blacklists/{blacklistId}:
    get:
      responses:
        "200":
          description: OK
          content:
            text/xml:
              schema:
                $ref: '#/components/schemas/Blacklist'
      parameters:
        - in: path
          name: blacklistId
          schema:
            format: int64
            type: integer
          required: true
          description: The ID of the blacklist to retrieve details on
components:
  schemas:
    Blacklist:
      type: object
      properties:
        id:
          format: int64
          type: integer
        name:
          type: string
        entries:
          type: array
          items:
            type: string

Now the parameter belongs to the GET method and the fuzzer starts running.

Software environment (please complete the following information):

• OS: Ubuntu 20.04.3 LTS
• Python version: Python 3.8.10
• APIFuzzer Version: 0.9.12

[mbeckerle-xqueue]

Hi Peter,

did you have time to check this already?

Kind regards,
Marcus

[KissPeter]

Hi,
Did you try with the most recent APIFuzzer version?

[adrien-marsoulaud]

Having the same issue on latest version

[adrien-marsoulaud]

It seems that parameters is handle as a path method.
In openapi_template_generator.py:

122:                    for content_type in (
123:                        paths[resource][method].get("requestBody", {}).get("content", [])
124:                    ):

Here method variable contains the value "parameters". Looks like it should only be an HTTP verb.