Array has no type of the items defined
One or more arrays in your API do not have the type of items they can contain specified.
Open API Specification (OAS) v2 requires the
type property for
items objects. However, most OAS v2 validators do not raise an error on
items that do not have
The following is an example of how this type of risk could look in your API definition:
1parameters: 2 - name: ids 3 in: query 4 description: IDs to filter by 5 required: true 6 type: array 7 items: 8 description: ID of a specific user 9 # ... 10
Possible exploit scenario
If an array does not specify
type property for the
items in it, users cannot tell the data type of items your API expects. The users may try to send data of unexpected type to your API, which could cause the backend server crash.
In addition, protection services based on OpenAPI definitions are not able to filter out items of unexpected data types. Attackers can try various types for the items, which again could crash the backend server.
When your backend server crashes, the error messages or exception trace could leak information on the implementation of your services. Attackers could then use to this information to make further attacks.
Make sure your array definitions include the
type property in the
items field describing accepted items for the array:
1parameters: 2 - name: ids 3 in: query 4 description: IDs to filter by 5 required: true 6 type: array 7 items: 8 type: integer 9 description: ID of a specific user 10 # ... 11
Copyright 42Crunch 2021