Pattern of the string schema in a request does not match the 'minLength' or 'maxLength' properties

Issue ID: schema-request-string-pattern-incompatible

Average severity: Medium

Description

Some string parameters in your API define patterns that do not match the properties minLength or maxLength defined for the string.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The string defines a pattern but the maximum length allowed in the pattern is shorter than the required minLength of the same string:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "parameters": [
            {
                "name": "pet",
                "in": "body",
                "description": "Pet to add to the store",
                "required": true,
                "schema": {
                    "type": "object",
                    "additionalProperties": false,
                    "required": [
                        "name"
                    ],
                    "properties": {
                        "name": {
                            "type": "string",
                            "pattern": "^[a-z]{3,10}$",
                            "minLength": 25
                        }       
                    }
                }
            }
        ]
    }
}

Or the pattern could require longer strings than maxLength allows:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "parameters": [
            {
                "name": "pet",
                "in": "body",
                "description": "Pet to add to the store",
                "required": true,
                "schema": {
                    "type": "object",
                    "additionalProperties": false,
                    "required": [
                        "name"
                    ],
                    "properties": {
                        "name": {
                            "type": "string",
                            "pattern": "^[a-z]{5,10}$",
                            "maxLength": 3
                        }       
                    }
                }
            }
        ]
    }
}

Possible exploit scenario

If the lengths defined in the pattern conflict with minLength or maxLength and input and output validation is properly enforced, no strings are accepted and API calls inevitably fail.

If API calls are still accepted, this implies that validation for the pattern or string length — or both — is not properly enforced, which is a sign that input validation is not done properly in the backend implementation of the API.

Remediation

Make sure that the patterns you define for strings do not conflict with the minLength or maxLength properties.

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "parameters": [
            {
                "name": "pet",
                "in": "body",
                "description": "Pet to add to the store",
                "required": true,
                "schema": {
                    "type": "object",
                    "additionalProperties": false,
                    "required": [
                        "name"
                    ],
                    "properties": {
                        "name": {
                            "type": "string",
                            "pattern": "^[a-z]{3,10}$",
                            "minLength": 3,
                            "maxLength": 10
                        }       
                    }
                }
            }
        ]
    }
}