Array schema in a request has no maximum number of items defined
Issue ID: v3-schema-request-array-maxitems
Average severity: High
Description
An array schema does not specify the maximum number of items it can contain.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition:
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/NewPet"
}
}
}
}
},
// ...
"NewPet": {
"type": "object",
"description": "JSON defining a Pet object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
},
"favfood": {
"type": "array",
"items": {
"type": "string"
}
}
}
}
}
Possible exploit scenario
If an array does not specify the maximum number of items in it, attackers may try to submit a call with extremely large number of array entries. This could to make your JSON parser module crash or cause a buffer overflow.
Remediation
Set the maxItems
property to ensure that the schema only allows calls of reasonable size:
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/NewPet"
}
}
}
}
},
// ...
"NewPet": {
"type": "object",
"description": "JSON defining a Pet object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string"
},
"favfood": {
"type": "array",
"maxItems": 3,
"items": {
"type": "string"
}
}
}
}
}