String parameter has no pattern defined

Average severity: Medium

Description

Some string parameters in your API do not define any pattern for the accepted strings. This means that they do not limit the values that get passed to the API.

Example

The following is an example of how this type of risk could look in your API definition. Because no pattern is defined, the API accepts a string of any size and value:

{
  "parameters": {
     "in": "query",
     "name": "id",
     "type": "string",
     "description": "Identifier of the object to be extracted."
  }
}

Possible exploit scenario

If you do not define a pattern for strings, any string is accepted as the input. This could open your backend server to various attacks, such as SQL injection.

Remediation

Set a well-defined regular expression in the pattern field of the string parameter. This ensures that only strings matching the pattern get passed to your API.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

{
  "parameters": {
     "in": "query",
     "name": "id",
     "type": "string",
     "pattern": "/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$/i",
     "description": "Identifier of the object to be extracted."
  }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy