petstore fails with JSONDecodeError on user.loginUser

[domanchi]

Reproduction Steps

$ fuzz-lightyear https://petstore.swagger.io/v2/swagger.json -v -t user.loginUser
...
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Analysis

Looking at the issue, it looks like petstore's swagger specification doesn't specify
it's types that it produces accurately.

...
/user/login:
  get:
    tags:
    - "user"
    summary: "Logs user into the system"
    operationId: "loginUser"
    produces:
    - "application/xml"
    - "application/json"

Bravado then interprets this value literally, and tries to JSON decode it, thereby causing a JSON decode error.

After all, in practice, it only returns a string:

$ curl -X GET 'https://petstore.swagger.io/v2/user/login?username=%08%1B%16%05&password=%F3%90%8D%B3+%2B%0C'
logged in user session:1563475979713

Action Steps

We need to decide whether we should accept this as "functioning by design", or whether we
should work around this limitation, and modify our assumption that Swagger files are accurate.

[OiCMudkips]

My opinion is that we shouldn't be trying to work around invalid Swagger files. We've actually hit this before, but in that case the Swagger/OpenAPI maintainers just updated the examples to have a type field. (see Yelp/bravado#416 and OAI/OpenAPI-Specification#1923)

I couldn't figure out where the source code for petstore.swagger.io was before, but if it's open-source and you can find it, you can get free green boxes by submitting a PR to update the website :)