Is Mayhem able to handle all the Regular Expressions allowed by OpenAPI 2.0/3.0?

We use 42Crunch API Security Validation to check our API Schemas. We have a lot of Regular Expression patterns in our Schema, and if they are not valid, 42Crunch flags them. However, when I run the mapi.exe with my schema, it is ignoring some of the RegEx, even though they are valid.

We are then seeing a lot of tests that don’t get past the API Validation stage.

Hi @rhopper-gwi , thanks for reaching out!

Are you able to share an example of a regular expression that is not being parsed? If you are not comfortable sharing on a forum, you can also share privately via email (mayhem4api@forallsecure.com.

We are using https://crates.io/crates/regex to parse regular expressions. It is possible that it is missing a feature for the expressions in your schemas. You can also check this by pasting a regex into their web-based tester: https://rustexp.lpil.uk/

  • Sheldon

I tried to put them in my original post, but they are being seen as links, for some reason. I’ll email you.

Thanks @rhopper-gwi . We will take a look and give you an update as soon as we have an answer!

Looks like comma and forward slash and single quote don’t have to be escaped, and the parser doesn’t like unnecessary backslashes. When I removed those, I no longer get the “unsupported regex” message.

Our next version of the mapi CLI (2.15.6+) wil have a fix for this as it will now accept regular expressions that have escaped characters that are not typically escaped (in your case, \, and \').

You can expect a release within the next few days on our release page!

This is great. Now we can run our Postman Collections. We might have to set up a Postman Mock server to return a bunch of valid customerIds, to help the AI learn.