String array item has no pattern defined

Description

One or more arrays containing strings do not define any pattern for the accepted strings. This means that they do not limit the values that get passed to the API.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The array accepts items of the type string but their pattern is not defined:

{
  "parameters": [
  {
    "name": "ids",
    "in": "query",
    "description": "IDs to filter by",
    "required": true,
    "type": "array",
    "items": {
       "type": "string"
     }
  }
}

Possible exploit scenario

If you do not define a pattern for strings, any string is accepted as the input. This could open your backend server to various attacks, such as SQL injection.

Remediation

Set a well-defined regular expression in the pattern field of string array items. This ensures that only arrays of strings matching the set pattern get passed to your API.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

{
  "parameters": [
  {
    "name": "ids",
    "in": "query",
    "description": "IDs to filter by",
    "required": true,
    "type": "array",
    "items": {
       "type": "string",
       "pattern": "/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$/i" 
    } 
  } 
}