Schema defines 'additionalProperties' as a boolean value

Description

The schema defines additionalProperties as a boolean value.

The reason additionalProperties takes a boolean value comes from the role the attribute plays in JSON schemas. In JSON, by default, any object can also accept additional properties that are not defined in its schema as long as the properties defined in the schema are present. To change this behavior and stop allowing any additional properties to those explicitly defined in the schema, you can set additionalProperties to false.

OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value object for this property. Thus, it is not recommended to use boolean values.

However, OAS v2 does support using additionalProperties to specify a schema to which the additional properties must conform.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. Here, additionalProperties is set to false. This behavior is supported in regular JSON but not in OAS v2:

"post": {
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          },
          "tag": {
            "type": "string"
          }
        },
        "required": [
          "name"
        ],
        "additionalProperties": "false"
      }
    }
   ],

Possible exploit scenario

While it is unlikely that attackers will be able to directly breach your API because of a boolean value for additionalProperties, it may still pose a risk to API security. Because this is not a documented part of the OAS, the API implementation may not behave according to developer expectations. Such a discrepancy has an inherent risk and is not recommended.

Remediation

If you need to allow additional properties, use additionalProperties to provide the schema that you want to support. For example:

"post": {
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string"
          },
          "tag": {
            "type": "string"
          }
        },
        "required": [
          "name"
        ],
        "additionalProperties": {
          "type" : "string"
        }
      }
    }
   ],