No schema defined in the parameter object

Issue ID: v3-parameter-schema-undefined

Average severity: Medium

Description

One or more parameters in your API do not have schemas defined. All parameters must have either schema or content defined to restrict what content your API accepts.

Schemas are useful for defining the structure and syntax of the accepted input or output for simpler parameters. For more complex parameters, you can use the content property.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. Because the rate limiting header has no schema defined, it can include anything:

{
    "name": "username",
    "in": "path",
    "description": "username to fetch",
    "required": true
}

Possible exploit scenario

If you do not define a schema for your parameters, you do not limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.

Remediation

Make sure that you have defined either the schema or content property for all parameter objects in your API.

{
    "name": "username",
    "in": "path",
    "description": "username to fetch",
    "required": true,
    "schema": {
        "type": "string",
        "additionalProperties": false
    }
}