No schema defined in the media type object
Issue ID: v3-mediatype-schema-undefined
Average severity: Medium
This issue ID and article have been deprecated and will be removed.
Description
One or more media type objects in your API do not have schemas defined. All media types should have schema
defined to restrict what input your API accepts.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. Because the rate limiting header has no schema defined, it can include anything:
{
"requestBody": {
"content": {
"application/octet-stream": {
}
}
}
}
Possible exploit scenario
If you do not define a schema for media type object, you do not limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.
Remediation
Make sure that you have defined schemas for all media type objects in your API.
{
"requestBody": {
"content": {
"application/octet-stream": {
"schema": {
"type": "string",
"format": "binary",
"additionalProperties": false
}
}
}
}
}