Schema allows additional properties

Description

The schema you have defined allows additional properties, either intentionally or unintentionally.

In JSON, by default, any object can also accept additional properties. OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value object for this property. Thus, it is not recommended to use Boolean values.

However, OAS v2 does support using additionalProperties to specify a schema to which the additional properties must conform.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. In this case, the schema does not use any combining operations (so there is no need to allow additional properties) but additionalProperties is set to true:

1post:
2  operationId: addPet
3  parameters:
4    - name: pet
5      in: body
6      description: Pet to add to the store
7      required: true
8      schema:
9        type: object
10        properties:
11          name:
12            type: string
13          tag:
14            type: string
15        required:
16          - name
17        additionalProperties: true
18

Possible exploit scenario

If you do not clearly define the schema and you leave properties of a JSON payload empty, you effectively allow attackers to pass in any data. This means that you are opening your backend to various attacks, such as SQL injection.

This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.

If no restrictions to the set of properties in the JSON payload are enforced, the API might also accept more fields than expected. The received payloads could be blindly transformed into an object and stored, overwriting sensitive internal data. For more details, see API6:2019 — Mass assignment in OWASP API Security Top 10.

Remediation

The safest option is not to allow additional properties. If the schema does not use allOf at all, make sure you define all properties of the accepted JSON payload in the schema itself.

Do not use combining operations (allOf) for defining additional properties in API definitions following the OAS v2.

We recommend updating your API definition to follow the OAS v3, because it offers proper support for additionalProperties as Boolean, in addition to other improvements.

If you cannot update your API to OAS v3, use additionalProperties to provide the schema that you want to support:

1definitions:
2  Pet:
3    type: object
4    properties:
5      name:
6        type: string
7      petType:
8        type: string
9    required:
10      - name
11      - petType
12    additionalProperties: "#/definitions/Cat"
13  Cat:
14    properties:
15      furType:
16        type: enum
17        enum:
18          - short-haired
19          - long-haired
20          - curly
21          - naked
22        default: short-haired
23

Copyright 42Crunch 2021