Operation does not have the 'consumes' field defined

Issue ID: operation-consumes

Average severity: Medium

Description

The consumes field for a POST, PUT or PATCH operation has not been defined, either in the operation itself or globally in the top-level consumes field. The consumes field defines how the exchanged object should be deserialized from HTTP messages.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "/pets": {
        "put": {
            "summary": "Updates a pet in the store with form data",
            "operationId": "updatePetWithForm",
            "produces": [
                "application/json",
                "application/xml"
            ],
            "parameters": [
                // ...
            ]
        }
    }
}

Possible exploit scenario

If you do not define the expected input format for the parameters an operation can take, your API could potentially accept any form of data as input. This could open your API to any number of potential attacks, like buffer overflow, decoding errors, or SQL injection attacks.

Remediation

Specify the MIME types of the accepted input data:

{
    "/pets": {
        "put": {
            "summary": "Updates a pet in the store with form data",
            "operationId": "updatePetWithForm",
            "produces": [
                "application/json",
                "application/xml"
            ],
            "consumes": [
                "application/x-www-form-urlencoded"
            ],
            "parameters": [
                // ...
            ]
        }
    }
}