No schema defined in the media type object in a request

Issue ID: v3-mediatype-request-schema-undefined

Average severity: Medium

Description

One or more media type objects in your API do not have schemas defined. All media types should have schema defined to restrict what input your API accepts.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. Because the rate limiting header has no schema defined, it can include anything:

{
    "requestBody": {
        "content": {
            "application/octet-stream": {
            }
        }
    }
}

Possible exploit scenario

If you do not define a schema for media type object, you do not limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.

Remediation

Make sure that you have defined schemas for all media type objects in your API.

{
    "requestBody": {
        "content": {
            "application/octet-stream": {
                "schema": {
                    "type": "string",
                    "format": "binary",
                    "additionalProperties": false
                }
            }
        }
    }
}