Array schema with string items has no maximum length defined

Description

An array schema containing string items does not define the maximum length for the accepted strings.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The array schema accepts items of the type string of unlimited length:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "required": [
          "name"
        ],
        "properties": {
        "name": {
          "type": "string"
        },
        "favfood": {
          "type": "array",
          "items": {
             "type": "string"
          }
        }
      }
    }
   ],

Possible exploit scenario

If you do not limit the length of strings, attackers can send longer strings to your API than what your backend server can handle. This could overload your backend server and make it crash. In some cases, this could cause a buffer overflow and allow for executing arbitrary code. Long strings are also more prone to injection attacks.

Remediation

Set the maxLength property in array schemas with string items to ensure that only strings of the expected size get passed to your API:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "required": [
          "name"
        ],
        "properties": {
        "name": {
          "type": "string"
        },
        "favfood": {
          "type": "array",
          "items": {
             "type": "string"
             "maxLength: "10"
          }
        }
      }
    }
   ],