Schema in a response allows additional properties

Issue ID: schema-response-object-additionalproperties-true

Average severity: Medium

Description

The schema you have defined allows additional properties, either intentionally or unintentionally.

In JSON, by default, any object can also accept additional properties. OpenAPI Specification (OAS) v2 does not define this behavior, and the current tooling (such as parsers and codegen) does not support it. Instead, they only accept the value object for this property. Thus, it is not recommended to use Boolean values.

However, OAS v2 does support using additionalProperties to specify a schema to which the additional properties must conform.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. In this case, the schema does not use any combining operations (so there is no need to allow additional properties) but additionalProperties is set to true:

{
    "post": {
        "description": "Creates a new pet in the store",
        // ...
        "responses": {
            "200": {
                "description": "success",
                "schema": {
                    "type": "object",                        
                    "$ref": "#/definitions/NewPet"
                }
            }
        }
    },
    // ...
    "definitions": {
        "NewPet": {
            "type": "object",
            "required": [
                "name"
            ],
            "properties": {
                "name": {
                    "type": "string"
                },
                "tag": {
                    "type": "string"
                }
            },
            "required": [
                "name"
            ],
            "additionalProperties": true
        }
    }
}

Possible exploit scenario

Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. Good data definition quality in the schemas used in API responses allows reliably validating that the contents of outgoing API responses are as expected.

While filtering API responses does not block a specific kind of attack, it is there as a damage control mechanism in the unfortunate event that a successful attack has been conducted: it allows blocking the response and prevent attackers from retrieving data they should not access.

In the vast majority of cases (with the notable exception of Denial of Service (DoS and DDoS) attacks) attacks are conducted because attackers want to access data or resources they should not have access to. Often, this means that the structure or the size of the API response changes as a result of a successful attack, compared to a normal API response.

Validating that API responses are as expected can be achieved through proper schema validation of the API responses. The accuracy of this depends on the quality of the response schemas: the better defined your schemas are, the easier it is to detect when something is not right.

Remediation

The safest option is not to allow additional properties. If the schema does not use allOf at all, make sure you define all properties of the accepted JSON payload in the schema itself.

Do not use combining operations (allOf) for defining additional properties in API definitions following the OAS v2.

We recommend updating your API definition to follow the OAS v3, because it offers proper support for additionalProperties as Boolean, in addition to other improvements.

If you cannot update your API to OAS v3, use additionalProperties to provide the schema that you want to support:

{
    "definitions": {
        "Pet": {
            "type": "object",
            "properties": {
                "name": {
                    "type": "string"
                },
                "petType": {
                    "type": "string"
                }
            },
            "required": [
                "name",
                "petType"
            ],
            "additionalProperties": "#/definitions/Cat"    
        },
        "Cat": {
            "properties": {
                "furType": {
                    "type": "enum",
                    "enum": [
                        "short-haired",
                        "long-haired",
                        "curly",
                        "naked"
                    ],
                    "default": "short-haired"
                }
            }
        }
    }
}