Schema defines combining operations

Description

The schema defines combining operations allOf which requires additionalProperties to behave as Boolean.

In JSON, by default, any object can also accept additional properties. OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value object for this property. Thus, it is not recommended to use Boolean values.

However, OAS v2 does support using additionalProperties to specify a schema to which the additional properties must conform.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. A reusable schema in the definitions section has been extended with an enum from allOf, and the property additionalProperties is set to trueto allow additional properties:

1definitions:
2  Pet:
3    type: object
4    properties:
5      name:
6        type: string
7      petType:
8        type: string
9    required:
10      - name
11      - petType
12  Cat:
13    type: object
14    allOf:
15      - $ref: "#/definitions/Cat"
16      - type: object
17        properties:
18          furType:
19            type: enum
20            enum:
21              - short-haired
22              - long-haired
23              - curly
24              - naked
25            default: short-haired
26    additionalProperties: true
27

Possible exploit scenario

While it is unlikely that attackers will be able to directly breach your API because of a boolean value for additionalProperties, it may still pose a risk to API security. Because this is not a documented part of the OAS, the API implementation may not behave according to developer expectations. Such a discrepancy has an inherent risk and is not recommended.

Remediation

Do not use combining operations (allOf) for defining additional properties in API definitions following the OAS v2.

We recommend updating your API definition to follow the OAS v3, because it offers proper support for additionalProperties as Boolean, in addition to other improvements.

If you cannot update your API to OAS v3, use additionalProperties to provide the schema that you want to support:

1definitions:
2  Pet:
3    type: object
4    properties:
5      name:
6        type: string
7      petType:
8        type: string
9    required:
10      - name
11      - petType
12    additionalProperties: "#/definitions/Cat"
13  Cat:
14    properties:
15      furType:
16        type: enum
17        enum:
18          - short-haired
19          - long-haired
20          - curly
21          - naked
22        default: short-haired
23

Copyright 42Crunch 2021