String parameter has no pattern defined
Issue ID: parameter-string-pattern
Average severity: Medium
Description
Some string parameters in your API do not define any pattern for the accepted strings. This means that they do not limit the values that get passed to the API.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. Because no pattern is defined, the API accepts a string of any size and value:
{
"parameters": {
"in": "query",
"name": "id",
"type": "string",
"description": "Identifier of the object to be extracted."
}
}
Possible exploit scenario
If you do not define a pattern for strings, any string is accepted as the input. This could open your backend server to various attacks, such as SQL injection.
Remediation
Set a well-defined regular expression that matches your requirements in the pattern
field of string parameters. This ensures that only strings matching the set pattern get passed to your API.
For example, the API below only accepts UUIDs that are compliant with RFC 4122:
{
"parameters": {
"in": "query",
"name": "id",
"type": "string",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$",
"description": "Identifier of the object to be extracted."
}
}
We recommend that you carefully think what kind of regular expression best matches your needs. Do not simply blindly copy the pattern from the code example.
Remember to include the anchors ^
and $
in your regular expression, otherwise the overall length of the pattern could be considered infinite. If you include the anchors in the regular expression and the pattern only has fixed or constant quantifiers (like {10,64}
, for example), you do not have to define the property maxLength
separately for the object, as the length is fully constrained by the pattern. However, if the regular expression does not include the anchors or its quantifiers are not fixed (like in ^a.*b$
), it can be considered to be just a part of a longer string and the property maxLength
is required to constrain the length.
For more information on regular expressions, see the following:
- Language-agnostic information on regular expressions at Base Definitions page on regular expressions
- OWASP Validation Regex Repository
- RegExr, an online tool for building and testing regular expressions
The following are examples of regular expressions for some common elements:
Element | Examples of regular expressions | Examples with escape |
---|---|---|
Alphanumeric string |
|
— |
Base64‑encoding (for an image) |
|
^data:image\\/(?:gif|png|jpeg|bmp|webp)(?:;charset=utf-8)?;base64,(?:[A-Za-z0-9]|[+/])+={0,2}$
|
Date and time |
|
|
Duration |
|
^\\d+:\\d{2}:\\d{2}$
|
Email address (common format) |
|
^([a-z0-9_\\.-]+)@([\\da-z\\.-]+)\\.([a-z\\.]{2,5})$
|
File |
|
|
IP address |
|
|
Numbers |
|
|
Password constraints |
Password that has:
|
^(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[*.!@$%^&(){}[]:;<>,.?/~_+-=|\\]).{10,64}$
|
Phone number |
International phone number, country code optional: Use libraries instead or regular expressions to validate phone numbers whenever possible. |
^(?:(?:\\(?(?:00|\\+)([1-4]\\d\\d|[1-9]\\d?)\\)?)?[\\-\\.\\ \\\\\\/]?)?((?:\\(?\\d{1,}\\)?[\\-\\.\\ \\\\\\/]?){0,})(?:[\\-\\.\\ \\\\\\/]?(?:#|ext\\.?|extension|x)[\\-\\.\\ \\\\\\/]?(\\d+))?$
|
URL/URI (with protocol optional) |
|
^(https?:\\/\\/)?(www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6}\\b([-a-zA-Z0-9@:%_\\+.~#?&//=]*)$
|
UUID |
|
— |