Pattern of the string schema in a response does not match the 'minLength' or 'maxLength' properties
Issue ID: schema-response-string-pattern-incompatible
Average severity: Medium
Description
Some string parameters in your API define patterns that do not match the properties minLength or maxLength defined for the string.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. The string defines a pattern but the maximum length allowed in the pattern is shorter than the required minLength of the same string:
{
"post": {
"description": "Creates a new pet in the store",
// ...
"responses": {
"200": {
"description": "success",
"schema": {
"type": "object",
"$ref": "#/definitions/NewPet"
}
}
}
},
// ...
"definitions": {
"NewPet": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z]{3,10}$",
"minLength": 25
}
// ...
}
}
}
}Or the pattern could require longer strings than maxLength allows:
{
"post": {
"description": "Creates a new pet in the store",
// ...
"responses": {
"200": {
"description": "success",
"schema": {
"type": "object",
"$ref": "#/definitions/NewPet"
}
}
}
},
// ...
"definitions": {
"NewPet": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z]{5,10}$",
"maxLength": 3
}
// ...
}
}
}
}Possible exploit scenario
Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. Good data definition quality in the schemas used in API responses allows reliably validating that the contents of outgoing API responses are as expected.
While filtering API responses does not block a specific kind of attack, it is there as a damage control mechanism in the unfortunate event that a successful attack has been conducted: it allows blocking the response and prevent attackers from retrieving data they should not access.
In the vast majority of cases (with the notable exception of Denial of Service (DoS and DDoS) attacks) attacks are conducted because attackers want to access data or resources they should not have access to. Often, this means that the structure or the size of the API response changes as a result of a successful attack, compared to a normal API response.
Validating that API responses are as expected can be achieved through proper schema validation of the API responses. The accuracy of this depends on the quality of the response schemas: the better defined your schemas are, the easier it is to detect when something is not right.
Remediation
Make sure that the patterns you define for strings do not conflict with the minLength or maxLength properties.
{
"post": {
"description": "Creates a new pet in the store",
// ...
"responses": {
"200": {
"description": "success",
"schema": {
"type": "object",
"$ref": "#/definitions/NewPet"
}
}
}
},
// ...
"definitions": {
"NewPet": {
"type": "object",
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z]{3,10}$",
"minLength": 3,
"maxLength": 10
}
}
}
}
}