Array schema has no maximum number of items defined

Average severity: Medium

Description

An array schema does not specify the maximum number of items it can contain.

Example

The following is an example of how this type of risk could look in your API definition:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "required": [
          "name"
        ],
        "properties": {
        "name": {
          "type": "string"
        },
        "favfood": {
          "type": "array",
          "items": {
            "type": "string"
          }
        }
      }
    }
   ],

Possible exploit scenario

If an array schema does not specify the maximum number of items in an array, attackers may try to submit a call with extremely large number of array entries. This could to make your JSON parser module crash or cause a buffer overflow.

Remediation

Set the maxItems property to ensure that the schema only allows calls of reasonable size:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "required": [
          "name"
        ],
        "properties": {
        "name": {
          "type": "string"
        },
        "favfood": {
          "type": "array",
          "maxItems": 3,
          "items": {
            "type": "string"
          }
        }
      }
    }
   ],

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy