Operation does not have the 'produces' field defined

Issue ID: operation-produces

Average severity: Medium

Description

The produces field of a GET operation has not been defined, either in the operation itself or globally in a top-level produces field. The produces field defines the MIME type of the content your API returns.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "/pets": {
        "get": {
            "description": "Returns all pets from the system that the user has access to",
            "responses": {
                "200": {
                    "description": "A list of pets.",
                    "schema": {
                        "type": "array",
                        "items": {
                            "$ref": "#/definitions/pet"
                        }
                    }
                }
            }
        }
    }
}

Possible exploit scenario

If you do not restrict what data your API can return and attackers successfully breach your API, they can get the API to return practically anything they want, such as sensitive data or files, a database, or executables.

Remediation

Specify the expected return type for the operation in the produces field to ensure that your API only returns the expected content:

{
    "/pets": {
        "get": {
            "description": "Returns all pets from the system that the user has access to",
            "produces": [
                "application/json"
            ],
            "responses": {
                "200": {
                    "description": "A list of pets.",
                    "schema": {
                        "type": "array",
                        "items": {
                            "$ref": "#/definitions/pet"
                        }
                    }
                }
            }
        }
    }
}