Array header with string items has no pattern defined

Average severity: Medium

Description

An array header containing string items does not define any pattern for the accepted strings. This means that it does not limit the values that can be included in the response header.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. Because no pattern is defined, the array in the header can include strings of any size and value:

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      }
    }
  }
}

Possible exploit scenario

Your API has been designed to return specific data. If you do not define a pattern for strings, you do not limit what is accepted in response headers. 

Attackers typically want to make the API to change its behavior and return different data than it is supposed to. A particular API failure might leak some other data, such as records or stack trace.

Locking down the pattern of strings in your response headers helps reduce this risk.

Remediation

Set a well-defined regular expression in the pattern field of string items in array headers. This provides an extra layer of safety ensuring that your API only returns data that you expect it to return.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

"responses": {
  "200": {
    "description": "OK",
    "headers": {
      "x-ids": {
        "schema": {
          "type": "array",
          "items": {
            "type": "string",
            "pattern": "/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$/i"
          }
        }
      }
    }
  }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy