Migrate Fuzz tests tool to Schemathesis and add REST Fuzz tests

.github/workflows/run-ci-cd.yaml

@@ -1,4 +1,4 @@
-name: Run CI/CD
+name: Run CI/CD
 
 on:
   merge_group:
@@ -263,13 +263,11 @@ jobs:
           - 5432:5432
       cache:
         image: redis:8.0.5-alpine3.21
-        env:
-          REDIS_PASSWORD: nest-cache-e2e-password
         options: >-
-          --health-cmd="redis-cli -a $$REDIS_PASSWORD ping"
+          --health-cmd="redis-cli ping"
           --health-interval=5s
-          --health-timeout=5s
           --health-retries=5
+          --health-timeout=5s
         ports:
           - 6379:6379
     steps:
@@ -291,6 +289,8 @@ jobs:
             --env-file backend/.env.e2e.example \
             --network host \
             -e DJANGO_DB_HOST=localhost \
+            -e DJANGO_REDIS_AUTH_ENABLED=False \
+            -e DJANGO_REDIS_HOST=localhost \
             -p 9000:9000 \
             owasp/nest:test-backend-latest \
             sh -c '
@@ -381,109 +381,24 @@ jobs:
             echo "release_version=$(date '+%y.%-m.%-d')-${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
           fi
 
-  run-fuzz-tests:
-    name: Run fuzz tests
+  run-graphql-fuzz-tests:
+    name: Run GraphQL fuzz tests
     needs:
       - scan-code
       - scan-ci-dependencies
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-    services:
-      db:
-        image: pgvector/pgvector:pg16
-        env:
-          POSTGRES_DB: nest_db_fuzz
-          POSTGRES_PASSWORD: nest_user_fuzz_password
-          POSTGRES_USER: nest_user_fuzz
-        options: >-
-          --health-cmd="pg_isready -U nest_user_fuzz -d nest_db_fuzz -h localhost -p 5432"
-          --health-interval=5s
-          --health-timeout=5s
-          --health-retries=5
-        ports:
-          - 5432:5432
-      cache:
-        image: redis:8.0.5-alpine3.21
-        env:
-          REDIS_PASSWORD: nest-fuzz-cache-password
-        options: >-
-          --health-cmd="redis-cli -a $$REDIS_PASSWORD ping"
-          --health-interval=5s
-          --health-timeout=5s
-          --health-retries=5
-        ports:
-          - 6379:6379
-    steps:
-      - name: Check out repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
-
-      - name: Set up Docker buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
-
-      - name: Setup Backend environment
-        uses: ./.github/workflows/setup-backend-environment
-        with:
-          db_username: nest_user_fuzz
-          db_name: nest_db_fuzz
-
-      - name: Run backend with fuzz environment variables
-        run: |
-          docker run -d --rm --name fuzz-nest-backend \
-            --env-file backend/.env.fuzz.example \
-            --network host \
-            -e DJANGO_DB_HOST=localhost \
-            -p 9500:9500 \
-            owasp/nest:test-backend-latest \
-            sh -c '
-              python manage.py migrate &&
-              gunicorn wsgi:application --bind 0.0.0.0:9500
-            '
-
-      - name: Waiting for the backend to be ready
-        run: |
-          timeout 5m bash -c '
-            until wget --spider http://localhost:9500/a; do
-              echo "Waiting for backend..."
-              sleep 5
-            done
-          '
-          echo "Backend is up!"
-
-      - name: Load Postgres data
-        env:
-          PGPASSWORD: nest_user_fuzz_password
-        run: |
-          pg_restore -h localhost -U nest_user_fuzz -d nest_db_fuzz < backend/data/nest.dump
+    uses: ./.github/workflows/run-fuzz-tests.yaml
+    with:
+      test-file: graphql_test.py
 
-      - name: Build Fuzz-testing image
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
-        with:
-          cache-from: |
-            type=gha
-            type=registry,ref=owasp/nest:test-fuzz-backend-cache
-          cache-to: |
-            type=gha,compression=zstd
-          context: docker/backend
-          file: docker/backend/Dockerfile.fuzz
-          load: true
-          platforms: linux/amd64
-          tags: owasp/nest:test-fuzz-backend-latest
-
-      - name: Run backend fuzz tests
-        run: |
-          mkdir -p ${{ github.workspace }}/fuzzing_results &&
-          chmod -R 777 ${{ github.workspace }}/fuzzing_results &&
-          docker run -e BASE_URL=http://localhost:9500 --network host \
-          -v ${{ github.workspace }}/fuzzing_results:/home/owasp/fuzzing_results \
-          owasp/nest:test-fuzz-backend-latest
-
-      - name: Upload fuzzing results
-        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
-        if: always()
-        with:
-          name: fuzzing-results
-          path: fuzzing_results/
-          retention-days: 30
+  run-rest-fuzz-tests:
+    name: Run REST fuzz tests
+    needs:
+      - scan-code
+      - scan-ci-dependencies
+    uses: ./.github/workflows/run-fuzz-tests.yaml
+    with:
+      test-file: rest_test.py
+      rest-url: http://localhost:9500/api/v0
 
   build-staging-images:
     name: Build Staging Images

.github/workflows/run-fuzz-tests.yaml

@@ -0,0 +1,118 @@
+name: Run fuzz tests
+
+on:
+  workflow_call:
+    inputs:
+      test-file:
+        description: 'The test file to run fuzz tests on'
+        required: true
+        type: string
+      rest-url:
+        description: 'The REST API URL to test against'
+        required: false
+        type: string
+        default: 'http://localhost:9500/api/v0'
+
+jobs:
+  run-fuzz-tests:
+    name: Run Fuzz Tests
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    services:
+      db:
+        image: pgvector/pgvector:pg16
+        env:
+          POSTGRES_DB: nest_db_fuzz
+          POSTGRES_PASSWORD: nest_user_fuzz_password
+          POSTGRES_USER: nest_user_fuzz
+        options: >-
+          --health-cmd="pg_isready -U nest_user_fuzz -d nest_db_fuzz -h localhost -p 5432"
+          --health-interval=5s
+          --health-retries=5
+          --health-timeout=5s
+        ports:
+          - 5432:5432
+      cache:
+        image: redis:8.0.5-alpine3.21
+        options: >-
+          --health-cmd="redis-cli ping"
+          --health-interval=5s
+          --health-retries=5
+          --health-timeout=5s
+        ports:
+          - 6379:6379
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+
+      - name: Set up Docker buildx
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
+
+      - name: Setup Backend environment
+        uses: ./.github/workflows/setup-backend-environment
+        with:
+          db_username: nest_user_fuzz
+          db_name: nest_db_fuzz
+
+      - name: Run backend with fuzz environment variables
+        run: |
+          docker run -d --rm --name fuzz-nest-backend \
+            --env-file backend/.env.fuzz.example \
+            --network host \
+            -e DJANGO_DB_HOST=localhost \
+            -e DJANGO_REDIS_AUTH_ENABLED=False \
+            -e DJANGO_REDIS_HOST=localhost \
+            -p 9500:9500 \
+            owasp/nest:test-backend-latest \
+            sh -c '
+              python manage.py migrate &&
+              gunicorn wsgi:application --bind 0.0.0.0:9500
+            '
+
+      - name: Waiting for the backend to be ready
+        run: |
+          timeout 5m bash -c '
+            until wget --spider http://localhost:9500/a; do
+              echo "Waiting for backend..."
+              sleep 5
+            done
+          '
+          echo "Backend is up!"
+
+      - name: Load Postgres data
+        env:
+          PGPASSWORD: nest_user_fuzz_password
+        run: |
+          set -euo pipefail
+          if ! pg_restore -h localhost -U nest_user_fuzz -d nest_db_fuzz < backend/data/nest.dump; then
+            echo "Data loading failed"
+            exit 1
+          fi
+          echo "Data loading completed."
+
+      - name: Build Fuzz-testing image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83
+        with:
+          cache-from: |
+            type=gha
+            type=registry,ref=owasp/nest:test-fuzz-backend-cache
+          cache-to: |
+            type=gha,compression=zstd
+          context: backend
+          file: docker/backend/Dockerfile.fuzz
+          load: true
+          platforms: linux/amd64
+          tags: owasp/nest:test-fuzz-backend-latest
+
+      - name: Run fuzz tests
+        env:
+          TEST_FILE: ${{ inputs.test-file }}
+          REST_URL: ${{ inputs.rest-url }}
+        run: |
+          docker run \
+            --network host \
+            -e BASE_URL=http://localhost:9500 \
+            -e CI=true \
+            -e REST_URL="$REST_URL" \
+            -e TEST_FILE="$TEST_FILE" \
+            owasp/nest:test-fuzz-backend-latest

backend/.env.e2e.example

@@ -13,6 +13,7 @@ DJANGO_DB_PASSWORD=nest_user_e2e_password
 DJANGO_DB_PORT=5432
 DJANGO_OPEN_AI_SECRET_KEY=None
 DJANGO_PUBLIC_IP_ADDRESS="127.0.0.1"
+DJANGO_REDIS_AUTH_ENABLED=True
 DJANGO_REDIS_HOST=cache
 DJANGO_REDIS_PASSWORD=nest-cache-e2e-password
 DJANGO_RELEASE_VERSION=None

backend/.env.example

@@ -13,6 +13,7 @@ DJANGO_DB_USER=None
 DJANGO_ELEVENLABS_API_KEY=None
 DJANGO_OPEN_AI_SECRET_KEY=None
 DJANGO_PUBLIC_IP_ADDRESS="127.0.0.1"
+DJANGO_REDIS_AUTH_ENABLED=True
 DJANGO_REDIS_HOST=None
 DJANGO_REDIS_PASSWORD=None
 DJANGO_RELEASE_VERSION=None

backend/.env.fuzz.example

@@ -13,6 +13,7 @@ DJANGO_DB_PASSWORD=nest_user_fuzz_password
 DJANGO_DB_PORT=5432
 DJANGO_OPEN_AI_SECRET_KEY=None
 DJANGO_PUBLIC_IP_ADDRESS="127.0.0.1"
+DJANGO_REDIS_AUTH_ENABLED=True
 DJANGO_REDIS_HOST=cache
 DJANGO_REDIS_PASSWORD=nest-fuzz-cache-password
 DJANGO_RELEASE_VERSION=None

backend/Makefile

@@ -121,6 +121,9 @@ migrate:
 migrations:
 	@CMD="python manage.py makemigrations" $(MAKE) exec-backend-command
 
+migrations-empty:
+	@CMD="python manage.py makemigrations --empty $(APP_NAME)" $(MAKE) exec-backend-command
+
 purge-data:
 	@CMD="python manage.py purge_data" $(MAKE) exec-backend-command
 
@@ -188,6 +191,10 @@ test-fuzz:
 	@docker volume rm -f nest-fuzz_fuzz-db-data >/dev/null 2>&1 || true
 	@COMPOSE_BAKE=true DOCKER_BUILDKIT=1 \
 	docker compose --project-name nest-fuzz -f docker-compose/fuzz/compose.yaml up --build --remove-orphans --abort-on-container-exit db cache backend data-loader
+	@echo "Running REST API fuzz tests..."
+	@COMPOSE_BAKE=true DOCKER_BUILDKIT=1 \
+	docker compose --project-name nest-fuzz -f docker-compose/fuzz/compose.yaml up --build --remove-orphans --abort-on-container-exit db backend rest
+	@echo "Running GraphQL fuzz tests..."
 	@COMPOSE_BAKE=true DOCKER_BUILDKIT=1 \
 	docker compose --project-name nest-fuzz -f docker-compose/fuzz/compose.yaml up --build --remove-orphans --abort-on-container-exit db cache backend graphql
 

backend/apps/api/rest/v0/__init__.py

@@ -4,6 +4,7 @@
 
 from django.conf import settings
 from ninja import NinjaAPI, Swagger
+from ninja.errors import ValidationError
 from ninja.pagination import RouterPaginated
 from ninja.throttling import AuthRateThrottle
 
@@ -103,6 +104,16 @@
 api = NinjaAPI(**{**api_settings, **api_settings_customization})
 
 
+@api.exception_handler(ValidationError)
+def validation_exception_handler(request, exc):
+    """Handle validation exceptions."""
+    return api.create_response(
+        request,
+        {"message": "Invalid request", "errors": exc.errors},
+        status=400,
+    )
+
+
 @api.get("/", include_in_schema=False)
 def api_root(request):
     """Handle API root endpoint requests."""

backend/apps/api/rest/v0/chapter.py

@@ -11,7 +11,7 @@
 from ninja.responses import Response
 
 from apps.api.decorators.cache import cache_response
-from apps.api.rest.v0.common import Leader, LocationFilter
+from apps.api.rest.v0.common import Leader, LocationFilter, ValidationErrorSchema
 from apps.owasp.models.chapter import Chapter as ChapterModel
 
 router = RouterPaginated(tags=["Chapters"])
@@ -100,6 +100,7 @@ def list_chapters(
     description="Retrieve chapter details.",
     operation_id="get_chapter",
     response={
+        HTTPStatus.BAD_REQUEST: ValidationErrorSchema,
         HTTPStatus.NOT_FOUND: ChapterError,
         HTTPStatus.OK: ChapterDetail,
     },

backend/apps/api/rest/v0/committee.py

@@ -11,6 +11,7 @@
 from ninja.responses import Response
 
 from apps.api.decorators.cache import cache_response
+from apps.api.rest.v0.common import ValidationErrorSchema
 from apps.owasp.models.committee import Committee as CommitteeModel
 
 router = RouterPaginated(tags=["Committees"])
@@ -70,6 +71,7 @@ def list_committees(
     description="Retrieve committee details.",
     operation_id="get_committee",
     response={
+        HTTPStatus.BAD_REQUEST: ValidationErrorSchema,
         HTTPStatus.NOT_FOUND: CommitteeError,
         HTTPStatus.OK: CommitteeDetail,
     },

backend/apps/api/rest/v0/common.py

@@ -10,6 +10,13 @@ class Leader(Schema):
     name: str
 
 
+class ValidationErrorSchema(Schema):
+    """Schema for validation error."""
+
+    message: str
+    errors: list[dict] | dict | None = None
+
+
 class LocationFilter(FilterSchema):
     """Filter for Location."""