Array has no type of the items defined

Average severity: Medium

Description

One or more arrays in your API do not have the type of items they can contain specified.

Open API Specification (OAS) v2 requires the type property for items objects. However, most OAS v2 validators do not raise an error on items that do not have type set.

Example

The following is an example of how this type of risk could look in your API definition:

"parameters": [
  {
    "name": "ids",
    "in": "query",
    "description": "IDs to filter by",
    "required": true,
    "type": "array",
    "items": {
      "description": "ID of a specific user"
    }
  }
  ...
]

Possible exploit scenario

If an array does not specify type property for the items in it, users cannot tell the data type of items your API expects. The users may try to send data of unexpected type to your API, which could cause the backend server crash.

In addition, protection services based on OpenAPI definitions are not able to filter out items of unexpected data types. Attackers can try various types for the items, which again could crash the backend server.

When your backend server crashes, the error messages or exception trace could leak information on the implementation of your services. Attackers could then use to this information to make further attacks.

Remediation

Make sure your array definitions include the type property in the items section describing accepted items for the array:

"parameters": [
  {
    "name": "ids",
    "in": "query",
    "description": "IDs to filter by",
    "required": true,
    "type": "array",
    "items": {
      "type": "integer",
      "description": "ID of a specific user"
    }
  }
  ...
]

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy