Array has no maximum number of items defined

Issue ID: parameter-array-maxitems

Average severity: High

Description

One or more arrays in your API do not have the maximum number of items they can contain specified.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "name": "someArray",
    "in": "body",
    "type": "array",
    "items": {
        "type": "string",
        "pattern": "^((4\\d{3})|(5[1-5]\\d{2})|(6011))-?\\d{4}-?\\d{4}-?\\d{4}|3[4,7]\\d{13}$"
    }
}

Possible exploit scenario

If an array does not specify the maximum number of items in it, attackers may try to submit a call with extremely large number of array entries. This could to make your JSON parser module crash or cause a buffer overflow.

Remediation

Set the maxItems parameter to ensure that you only allow calls of reasonable size:

{
    "name": "someArray",
    "in": "body",
    "type": "array",
    "maxItems": 3,
    "items": {
        "type": "string",
        "pattern": "^((4\\d{3})|(5[1-5]\\d{2})|(6011))-?\\d{4}-?\\d{4}-?\\d{4}|3[4,7]\\d{13}$"
    }
}