Schema allows additional properties
The schema you have defined allows additional properties, either intentionally or unintentionally.
In JSON, by default, any object can also accept additional properties. OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value
object for this property. Thus, it is not recommended to use Boolean values.
However, OAS v2 does support using
additionalProperties to specify a schema to which the additional properties must conform.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition. In this case, the schema does not use any combining operations (so there is no need to allow additional properties) but
additionalProperties is set to
1post: 2 operationId: addPet 3 parameters: 4 - name: pet 5 in: body 6 description: Pet to add to the store 7 required: true 8 schema: 9 type: object 10 properties: 11 name: 12 type: string 13 tag: 14 type: string 15 required: 16 - name 17 additionalProperties: true 18
Possible exploit scenario
If you do not clearly define the schema and you leave properties of a JSON payload empty, you effectively allow attackers to pass in any data. This means that you are opening your backend to various attacks, such as SQL injection.
This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.
If no restrictions to the set of properties in the JSON payload are enforced, the API might also accept more fields than expected. The received payloads could be blindly transformed into an object and stored, overwriting sensitive internal data. For more details, see API6:2019 — Mass assignment in OWASP API Security Top 10.
The safest option is not to allow additional properties. If the schema does not use
allOf at all, make sure you define all properties of the accepted JSON payload in the schema itself.
Do not use combining operations (
allOf) for defining additional properties in API definitions following the OAS v2.
We recommend updating your API definition to follow the OAS v3, because it offers proper support for
additionalProperties as Boolean, in addition to other improvements.
If you cannot update your API to OAS v3, use
additionalProperties to provide the schema that you want to support:
1definitions: 2 Pet: 3 type: object 4 properties: 5 name: 6 type: string 7 petType: 8 type: string 9 required: 10 - name 11 - petType 12 additionalProperties: "#/definitions/Cat" 13 Cat: 14 properties: 15 furType: 16 type: enum 17 enum: 18 - short-haired 19 - long-haired 20 - curly 21 - naked 22 default: short-haired 23
Copyright 42Crunch 2021