String schema has no pattern defined

Description

A string schema does not define any pattern for the accepted strings. This means that it does not limit the values that get passed to the API.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. Because no pattern is defined, the API accepts a string of any size and value:

1post:
2  description: Creates a new pet in the store
3  operationId: addPet
4  parameters:
5    - name: pet
6      in: body
7      description: Pet to add to the store
8      required: true
9      schema:
10        type: object
11        additionalProperties: false
12        required:
13          - name
14        properties:
15          name:
16            type: string
17

Possible exploit scenario

If you do not define a pattern for strings, any string is accepted as the input. This could open your backend server to various attacks, such as SQL injection.

Remediation

Set a well-defined regular expression that matches your requirements in the pattern field of string parameters. This ensures that only strings matching the set pattern get passed to your API.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

1post:
2  description: Creates a new pet in the store
3  operationId: addPet
4  parameters:
5    - name: pet
6      in: body
7      description: Pet to add to the store
8      required: true
9      schema:
10        type: object
11        additionalProperties: false
12        required:
13          - name
14        properties:
15          name:
16            type: string
17            maxLength: 10
18            pattern: ^[A-Za-z0-9]{3,10}$
19

We recommend that you carefully think what kind of regular expression best matches your needs. Do not simply blindly copy the pattern from the code example.

For more information on regular expressions, see the following:


Copyright 42Crunch 2021