Pattern for string parameter is too loose

Description

The pattern for a string parameter in your API is too loosely defined. It does not actually limit what gets passed to the API.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The defined pattern is so loose that the API effectively accepts any string of any size and value:

{
  "parameters": {
     "in": "query",
     "name": "id",
     "type": "string",
     "pattern": ".*",
     "description": "Identifier of the object to be extracted."
  }
}

Possible exploit scenario

If you define too loose pattern for strings, you do not actually limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.

Remediation

Set a well-defined regular expression in the pattern field of string parameters. This ensures that only strings matching the set pattern get passed to your API.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

{
  "parameters": {
     "in": "query",
     "name": "id",
     "type": "string",
     "pattern": "/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$/i",
     "description": "Identifier of the object to be extracted."
  }
}