Path item is empty
Issue ID: paths-pathitem-empty
Average severity: Medium
Description
One or more path items in your API are empty.
While the OpenAPI Specification allows for empty path items, this means that API Protection in 42Crunch Platform cannot properly secure your API.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition:
{
"paths": {
"/pets": {}
}
}
Possible exploit scenario
If a path item is empty, it prevents viewing the operations or parameters of the path, effectively hiding them completely. The path itself is visible and its existence is clear, but empty path items are not. While this may not be a problem for your API consumers using the API, it is a problem for protecting your API.
Because API Protection uses a positive security model and bases allowlisting strictly on the API contract spelled out in your API definition, it requires the complete, canonical form of your OpenAPI definition. What API Protection cannot see, it cannot fully protect. Thus, if your OpenAPI definition has empty path items, API Protection cannot see those path items, and you cannot consider your API to be fully protected even if you had deployed API Firewall instance for it. Attackers could find a way to exploit the path items invisible to API Firewall.
Remediation
Make sure your define all paths items in your API.
{
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/definitions/NewPet"
}
}
}
}
}
}
}
}