Array has no maximum number of items defined

Average severity: Medium

Description

One or more arrays in your API do not have the maximum number of items they can contain specified.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
  "name": "someArray",
  "in": "header",
  "type": "array",
  "items": {
    "type": "string",
    "pattern": ^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$
  }
}

Possible exploit scenario

If your API does not specify the maximum number of items for an array, attackers may try to submit a call with extremely large number of array entries. This could to make your JSON parser module crash or cause a buffer overflow.

Remediation

Set the maxItems parameter to ensure that you only allow calls of reasonable size:

{
 "name": "someArray",
  "in": "header",
  "type": "array",
  "maxItems": 3,
  "items": {
    "type": "string",
    "pattern": ^((4\d{3})|(5[1-5]\d{2})|(6011))-?\d{4}-?\d{4}-?\d{4}|3[4,7]\d{13}$
  }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy