415 response should be defined for operations receiving a body (POST, PUT, PATCH)
Issue ID: v3-response-415
Average severity: Medium
Description
One or more POST
, PUT
, or PATCH
operations are missing 415
responses. All operations that receive a body should have 415
responses defined.
For more details, see RFC 7231.
Example
The following is an example of how this type of risk could look in your API definition:
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true
// ...
},
"responses": {
"200": {
"description": "pet response",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Pet"
}
}
}
}
}
}
}
Possible exploit scenario
Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API operations can return for each possible response code.
Remediation
Define 415
responses for all POST
, PUT
, and PATCH
operations.
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true
// ...
},
"responses": {
"200": {
"description": "pet response",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Pet"
}
}
}
},
// ...
"415": {
"description": "Unsupported media type",
"content": {
"application/json": {
"schema": {
"$ref": "#/components/responses/415"
}
}
}
}
}
}
}