MassAssignmentFuzzer crashes with InvalidModificationException on schemas with array properties

[ericfitz]

Description

The MassAssignmentFuzzer crashes with a JsonPath.InvalidModificationException when processing OpenAPI schemas that contain array-type properties. This causes CATS to silently stop processing remaining paths, resulting in incomplete API coverage.

CATS Version

• Version: 13.5.0
• Build time: 2025-12-20T18:52:55Z UTC
• Platform: Mac OS X-26.2-aarch64

Steps to Reproduce

1. Create an OpenAPI spec with a schema containing array properties, for example:

components:
  schemas:
    ExampleInput:
      type: object
      properties:
        name:
          type: string
        items:
          type: array
          items:
            $ref: '#/components/schemas/Item'
      required:
        - name
      additionalProperties: false

2. Run CATS against the spec:

cats --contract=api.json --server=http://localhost:8080 --dryRun

3. Observe the crash after processing the endpoint that uses this schema.

Stack Trace

com.jayway.jsonpath.InvalidModificationException: Invalid put operation. $ is not a map
	at com.jayway.jsonpath.internal.PathRef$RootPathRef.put(PathRef.java:136)
	at com.jayway.jsonpath.JsonPath.put(JsonPath.java:342)
	at com.jayway.jsonpath.internal.JsonContext.put(JsonContext.java:207)
	at com.jayway.jsonpath.internal.JsonContext.put(JsonContext.java:186)
	at com.endava.cats.util.JsonUtils.replaceNewElement(JsonUtils.java:522)
	at com.endava.cats.fuzzer.fields.MassAssignmentFuzzer.addFieldToPayload(MassAssignmentFuzzer.java:162)
	at com.endava.cats.fuzzer.fields.MassAssignmentFuzzer.testMassAssignment(MassAssignmentFuzzer.java:145)
	at com.endava.cats.fuzzer.fields.MassAssignmentFuzzer.fuzz(MassAssignmentFuzzer.java:128)
	at com.endava.cats.command.CatsCommand.runSingleFuzzer(CatsCommand.java:460)
	at com.endava.cats.command.CatsCommand.lambda$runFuzzers$0(CatsCommand.java:443)
	at java.base@25.0.1/java.util.ArrayList.forEach(ArrayList.java:1604)
	at com.endava.cats.command.CatsCommand.runFuzzers(CatsCommand.java:443)
	at com.endava.cats.command.CatsCommand.fuzzPath(CatsCommand.java:434)
	at com.endava.cats.command.CatsCommand.startFuzzing(CatsCommand.java:335)
	at com.endava.cats.command.CatsCommand.doLogic(CatsCommand.java:268)
	at com.endava.cats.command.CatsCommand.run(CatsCommand.java:214)
	at picocli.CommandLine.executeUserObject(CommandLine.java:2045)
	...

Expected Behavior

• CATS should either handle schemas with array properties gracefully, or
• Skip the problematic fuzzer for that specific endpoint and continue processing remaining paths

Actual Behavior

• CATS crashes and stops processing all remaining paths
• In my case, an OpenAPI spec with 90 paths only had 43 paths tested before the crash
• All paths alphabetically after the failing endpoint are never tested
• The crash is silent during normal execution (not --dryRun), making it appear that fuzzing completed successfully

Workaround

Use --skipFuzzers=MassAssignmentFuzzer to exclude the problematic fuzzer.

Reproducible Example

A full OpenAPI spec that triggers this issue is available at:
https://github.com/ericfitz/tmi/blob/main/docs/reference/apis/tmi-openapi.json

The crash occurs when processing the POST /threat_models endpoint, which uses the ThreatModelInput schema containing metadata and authorization array properties.

Impact

This is a significant issue because:

1. The crash is silent during normal execution, so users believe their API was fully tested
2. It can cause a large portion of the API to go untested (in my case, 52% of paths were skipped)
3. Users may not discover the issue unless they carefully audit which paths were actually tested

[en-milie]

Hi @ericfitz. This should be fixed in the latest release: https://github.com/Endava/cats/releases/tag/cats-13.6.0

[ericfitz]

Verified fixed in 13.6.0