Array header with numeric items has no maximum defined

Average severity: Medium

Description

An array header containing numeric items does not specify the maximum value of the items.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The array header accepts items of the type integer but does not specify the maximum value for them:

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "int32"
          }
        }
      }
    }
  }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API produces in each method.

Remediation

Set both the minimum and maximum values for numeric items. This provides an extra layer of safety ensuring that your API only returns data that you expect it to return.

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "array",
          "items": {
            "type": "integer",
            "format": "int32",
            "minimum": 0,
            "maximum": 100
          }
        }
      }
    }
  }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy