Schema in a request defines combining operations

Issue ID: schema-request-xof-additionalproperties-false

Average severity: Medium

Description

The schema defines combining operations allOf which requires additionalProperties to behave as Boolean.

In JSON, by default, any object can also accept additional properties. OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value object for this property. Thus, it is not recommended to use Boolean values.

However, OAS v2 does support using additionalProperties to specify a schema to which the additional properties must conform.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. A reusable schema in the definitions section has been extended with an enum from allOf, and the property additionalProperties is set to true to allow additional properties:

{
    "definitions": {
        "Pet": {
            "type": "object",
            "properties": {
                "name": {
                    "type": "string"
                },
                "petType": {
                    "type": "string"
                }
            },
            "required": [
                "name",
                "petType"
            ]
        },
        "Cat": {
            "type": "object",
            "allOf": [
                {
                    "$ref": "#/definitions/Cat"
                },
                {
                    "type": "object",
                    "properties": {
                        "furType": {
                            "type": "enum",
                            "enum": [
                                "short-haired",
                                "long-haired",
                                "curly",
                                "naked"
                            ],
                            "default": "short-haired"
                        }
                    }
                }
            ],
            "additionalProperties": true
        }
    }
}

Possible exploit scenario

While it is unlikely that attackers will be able to directly breach your API because of a boolean value for additionalProperties, it may still pose a risk to API security. Because this is not a documented part of the OAS, the API implementation may not behave according to developer expectations. Such a discrepancy has an inherent risk and is not recommended.

Remediation

Do not use combining operations (allOf) for defining additional properties in API definitions following the OAS v2.

We recommend updating your API definition to follow the OAS v3, because it offers proper support for additionalProperties as Boolean, in addition to other improvements.

If you cannot update your API to OAS v3, use additionalProperties to provide the schema that you want to support:

{
    "definitions": {
        "Pet": {
            "type": "object",
            "properties": {
                "name": {
                    "type": "string"
                },
                "petType": {
                    "type": "string"
                }
            },
            "required": [
                "name",
                "petType"
            ],
            "additionalProperties": "#/definitions/Cat"    
        },
        "Cat": {
            "properties": {
                "furType": {
                    "type": "enum",
                    "enum": [
                        "short-haired",
                        "long-haired",
                        "curly",
                        "naked"
                    ],
                    "default": "short-haired"
                }
            }
        }
    }
}