Array header with string items has no maximum length defined

Description

An array header containing string items does not define the maximum length for the accepted strings.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The array header accepts items of the type string of unlimited length:

1responses:
2  "200":
3    description: OK
4    headers:
5      x-ids:
6        schema:
7          type: array
8          items:
9            type: string
10

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API produces in each method.

Remediation

Set the maxLength property in array headers with string items. This provides an extra layer of safety ensuring that your API only returns data that you expect it to return.

1responses:
2  "200":
3    description: OK
4    headers:
5      x-ids:
6        schema:
7          type: array
8          items:
9            type: string
10            maxLength: 8
11

We also recommend that you specify a regular expression to further lock down the expected string format.

For more information on regular expressions, see the following:


Copyright 42Crunch 2021