Schema in a request does not define the type of JSON values

Issue ID: v3-schema-request-notype

Average severity: Medium

Description

The API defines a schema for a JSON payload, but the schema does not actually limit what is accepted. This can happen for two reasons:

  • The schema is for an object (a set of properties) but it does not have type set to object. The properties are matched to the ones defined in the schema, but no limit to their types is enforced.
  • Some of the properties themselves do not have type defined so any type is accepted for them.

Unlike in the OpenAPI Specification (OAS) v2, in OAS v3 it is not enough to just state the type of the properties in the schema. By default, the property additionalProperties is true. Unless you specifically set additionalProperties to false, the schema continues to accept properties of any type.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The schema NewPet is defined in #/components/schemas and referenced as the schema for the API method. However, the type of the schema is not set to object and the type is missing from the property tag:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "parameters": [
            {
                "name": "pet",
                "in": "body",
                "description": "Pet to add to the system",
                "required": true,
                "schema": {
                    "$ref": "#components/schemas/NewPet"
                }
            }
        ]
    },
    // ...
    "NewPet": {
        "required": [
            "name"
        ],
        "additionalProperties": false,
        "properties": {
            "name": {
                "type": "string",
                "description": "Pet name"
            },
            "tag": {
                "description": "Pet tag"
            }
        }
    }
}

Possible exploit scenario

If you do not clearly define the schema and you leave properties of a JSON payload empty, you effectively allow attackers to pass in any data. This means that you are opening your backend to various attacks, such as SQL injection.

This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.

If no restrictions to the set of properties in the JSON payload are enforced, the API might also accept more fields than expected. The received payloads could be blindly transformed into an object and stored, overwriting sensitive internal data.

Remediation

Make sure you define the types of all properties in the JSON payload, correctly set the type for objects, and set additionalProperties to false to enforce limitations to what the schema accepts.

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "parameters": [
            {
                "name": "pet",
                "in": "body",
                "description": "pet to add to the system",
                "required": true,
                "schema": {
                    "$ref": "#/components/schemas/NewPet"
                }
            }
        ]
    },
    // ...
    "NewPet": {
        "type": "object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string",
                "description": "Pet name"
            },
            "tag": {
                "type": "string",
                "description": "Pet tag"
            }
        }
    }
}