Pattern for string items in an array header is too loose

Description

An array header containing string items specifies too loosely defined pattern for the strings. The pattern does not actually limit what can be included in response headers.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The array header accepts items of the type string but the pattern of the items is not precise enough:

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "array",
          "items": {
            "type": "string",
            "pattern": ".*"
          }
        }
      }
    }
  }
}

Possible exploit scenario

Your API has been designed to return specific data. If you define too loose pattern for strings, you do not actually limit what can be included in response headers.

Attackers typically want to make the API to change its behavior and return different data than it is supposed to. A particular API failure might leak some other data, such as records or stack trace.

Locking down the pattern of strings in your response headers helps reduce this risk.

Remediation

Set a well-defined regular expression in the pattern field of string items in array headers. This ensures that only strings matching the pattern can be included in the response header.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "array",
          "items": {
            "type": "string",
            "pattern": "/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$/i"
          }
        }
      }
    }
  }
}