Array schema in a request has no type of items defined

Issue ID: v3-schema-request-array-items-notype

Average severity: High

Description

One or more array schemas does not specify the type of items it can contain.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "requestBody": {
            "description": "Pet to add to the store",
            "required": true,
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/NewPet"
                    }
                }
            }
        }
    },
    // ...
    "NewPet": {
        "type": "object",
        "description": "JSON defining a Pet object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string"
            },
            "favfood": {
                "type": "array",
                "items": {
                }
            }
        }
    }
}

Possible exploit scenario

If an array does not specify type property for the items in it, users cannot tell the data type of items your API expects. The users may try to send data of unexpected type to your API, which could cause the backend server crash.

In addition, protection services based on OpenAPI definitions are not able to filter out items of unexpected data types. Attackers can try various types for the items, which again could crash the backend server.

When your backend server crashes, the error messages or exception trace could leak information on the implementation of your services. Attackers could then use to this information to make further attacks.

Remediation

Make sure your array schema includes the type property for the items the array accepts:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "requestBody": {
            "description": "Pet to add to the store",
            "required": true,
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/NewPet"
                    }
                }
            }
        }
    },    
    // ...
    "NewPet": {
        "type": "object",
        "description": "JSON defining a Pet object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string"
            },
            "favfood": {
                "type": "array",
                "maxItems": 3,
                "items": {
                    "type": "string"
                }
            }
        }
    }
}