Operation does not have the ‘consumes’ field defined

Average severity: Medium

Description

The consumes field for a POST, PUT or PATCH operation has not been defined, either in the operation itself or globally in the top-level consumes field.

Example

The following is how this issue could look in your API definition:

{
  "/pets": {
    "put": {
      "summary": "Updates a pet in the store with form data",
      "operationId": "updatePetWithForm",
      "produces": [
        "application/json",
        "application/xml"
      ],
      "parameters": [
...
}

Possible exploit scenario

If you do not define the expected input format for the parameters an operation can take, your API could potentially accept any form of data as input. This could open your API to any number of potential attacks, like buffer overflow, decoding errors, or SQL injection attacks.

Remediation

Specify the MIME types of the  accepted input data:

{
  "/pets": {
    "put": {
      "summary": "Updates a pet in the store with form data",
      "operationId": "updatePetWithForm",
      "produces": [
        "application/json",
        "application/xml"
      ],
      "consumes": [
        "application/x-www-form-urlencoded"
      ],
      "parameters": [
...
}

When you restrict the possible inputs of data formats and encoding types, an API firewall can better protect your API.


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy