No schema defined in the parameter object
Issue ID: v3-parameter-schema-undefined
Average severity: Medium
Description
One or more parameters in your API do not have schemas defined. All parameters must have either schema
or content
defined to restrict what content your API accepts.
Schemas are useful for defining the structure and syntax of the accepted input or output for simpler parameters. For more complex parameters, you can use the content
property.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. Because the rate limiting header has no schema defined, it can include anything:
{
"name": "username",
"in": "path",
"description": "username to fetch",
"required": true
}
Possible exploit scenario
If you do not define a schema for your parameters, you do not limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.
Remediation
Make sure that you have defined either the schema
or content
property for all parameter
objects in your API.
{
"name": "username",
"in": "path",
"description": "username to fetch",
"required": true,
"schema": {
"type": "string",
"additionalProperties": false
}
}