Pattern for string items in an array schema is too loose

Average severity: Medium

Description

An array schema containing string items specifies too loosely defined pattern for the strings. The pattern does not actually limit what gets passed to the API.

Example

The following is an example of how this type of risk could look in your API definition. The array accepts items of the type string but the pattern of the items is not precise enough:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "required": [
          "name"
        ],
        "properties": {
        "name": {
          "type": "string"
        },
        "favfood": {
          "type": "array",
          "items": {
             "type": "string",
             "pattern": ".*"
          }
        }
      }
    }
   ],

Possible exploit scenario

If you define too loose pattern for strings, you do not actually limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.

Remediation

Set a well-defined regular expression in the pattern field of string items in array schemas. This ensures that only arrays of strings matching the set pattern get passed to your API.

For example, the API below only accepts strings that are compliant with RFC 4122:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "Pet to add to the store",
      "required": true,
      "schema": {
        "type": "object",
        "required": [
          "name"
        ],
        "properties": {
        "name": {
          "type": "string"
        },
        "favfood": {
          "type": "array",
          "items": {
             "type": "string",
             "pattern": "/^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$/i"
          }
        }
      }
    }
   ],

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy