Pattern for string items in an array schema is too loose

Description

An array schema containing string items specifies too loosely defined pattern for the strings. The pattern does not actually limit what gets passed to the API.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The array accepts items of the type string but the pattern of the items is not precise enough:

1post:
2  description: Creates a new pet in the store
3  operationId: addPet
4  parameters:
5    - name: pet
6      in: body
7      description: Pet to add to the store
8      required: true
9      schema:
10        type: object
11        required:
12          - name
13        properties:
14          name:
15            type: string
16          favfood:
17            type: array
18            items:
19              type: string
20              pattern: .*
21

Possible exploit scenario

If you define too loose pattern for strings, you do not actually limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.

Remediation

Set a well-defined regular expression that matches your requirements in the pattern field of string parameters. This ensures that only strings matching the set pattern get passed to your API.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

1post:
2  description: Creates a new pet in the store
3  operationId: addPet
4  parameters:
5    - name: pet
6      in: body
7      description: Pet to add to the store
8      required: true
9      schema:
10        type: object
11        required:
12          - name
13        properties:
14          name:
15            type: string
16          favfood:
17            type: array
18            items:
19              type: string
20              pattern: ^[A-Za-z0-9]{3,10}$
21              maxLength: 10
22

We recommend that you carefully think what kind of regular expression best matches your needs. Do not simply blindly copy the pattern from the code example.

For more information on regular expressions, see the following:


Copyright 42Crunch 2021