Pattern for string schema is too loose

Issue ID: v3-schema-string-loosepattern

Average severity: Medium

This issue ID and article have been deprecated and will be removed.

Description

The pattern for a string schema is too loosely defined. It does not actually limit what gets passed to the API.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The defined pattern is so loose that the API effectively accepts any string of any size and value:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "requestBody": {
            "description": "Pet to add to the store",
            "required": true,
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/NewPet"
                    }
                }
            }
        }
    },
    // ...
    "NewPet": {
        "type": "object",
        "description": "JSON defining a Pet object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string",
                "pattern": ".*"
            }       
        }
    }
}

Possible exploit scenario

If you define too loose pattern for strings, you do not actually limit what is accepted as the input. This could open your backend server to various attacks, like SQL injections or buffer overflows.

Remediation

Set a well-defined regular expression that matches your requirements in the pattern field of string parameters. This ensures that only strings matching the set pattern get passed to your API.

For example, the API below only accepts UUIDs that are compliant with RFC 4122:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "requestBody": {
            "description": "Pet to add to the store",
            "required": true,
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/NewPet"
                    }
                }
            }
        }
    },
    // ...
    "NewPet": {
        "type": "object",
        "description": "JSON defining a Pet object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string",
                "maxLength": 10,
                "pattern": "^[A-Za-z0-9]{3,10}$"
            }       
        }
    }
}

We recommend that you carefully think what kind of regular expression best matches your needs. Do not simply blindly copy the pattern from the code example.

Remember to include ^ and $ in your regular expression, otherwise the overall length of the pattern is infinite.

For more information on regular expressions, see the following:

Language-agnostic information on regular expressions at Base Definitions page on regular expressions
OWASP Validation Regex Repository
RegExr, an online tool for building and testing regular expressions

The following are examples of regular expressions for some common elements:

Element	Examples of regular expressions	Examples with escape
Alphanumeric string	String with spaces: `^[a-zA-Z0-9 ]$` String without space `^[a-zA-Z0-9]$`	—
Base64‑encoding (for an image)	`^data:image\/(?:gif\|png\|jpeg\|bmp\|webp)(?:;charset=utf-8)?;base64,(?:[A-Za-z0-9]\|[+/])+={0,2}$`	`^data:image\\/(?:gif\|png\|jpeg\|bmp\|webp)(?:;charset=utf-8)?;base64,(?:[A-Za-z0-9]\|[+/])+={0,2}$`
Date and time	Date as YYYY-MM-DD, only `-` as separator: `^([12]\d{3}-(0[1-9]\|1[0-2])-(0[1-9]\|[12]\d\|3[01]))$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator: `^(?:(?:31(\/\|-\|\.)(?:0?[13578]\|1[02]\|(?:Jan\|Mar\|May\|Jul\|Aug\|Oct\|Dec)))\1\|(?:(?:29\|30)(\/\|-\|\.)(?:0?[1,3-9]\|1[0-2]\|(?:Jan\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec))\2))(?:(?:1[6-9]\|[2-9]\d)?\d{2})$\|^(?:29(\/\|-\|\.)(?:0?2\|(?:Feb))\3(?:(?:(?:1[6-9]\|[2-9]\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\d\|2[0-8])(\/\|-\|\.)(?:(?:0?[1-9]\|(?:Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep))\|(?:1[0-2]\|(?:Oct\|Nov\|Dec)))\4(?:(?:1[6-9]\|[2-9]\d)?\d{2})$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator, checks for leap years: `^(?:(?:31(\/\|-\|\.)(?:0?[13578]\|1[02]))\1\|(?:(?:29\|30)(\/\|-\|\.)(?:0?[1,3-9]\|1[0-2])\2))(?:(?:1[6-9]\|[2-9]\d)?\d{2})$\|^(?:29(\/\|-\|\.)0?2\3(?:(?:(?:1[6-9]\|[2-9]\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\d\|2[0-8])(\/\|-\|\.)(?:(?:0?[1-9])\|(?:1[0-2]))\4(?:(?:1[6-9]\|[2-9]\d)?\d{2})$` Time as HH:MM, 24-hour clock, leading 0: `^(0[0-9]\|1[0-9]\|2[0-3]):[0-5][0-9]$` Time as HH:MM, 12-hour clock, leading 0 optional, AM/PM: `^((1[0-2]\|0?[1-9]):([0-5][0-9]) ?([AaPp][Mm]))$` Time as HH:MM:SS, 24-hour clock: `^(?:[01]\d\|2[0123]):(?:[012345]\d):(?:[012345]\d)$`	Date as YYYY-MM-DD, only `-` as separator: `^([12]\\d{3}-(0[1-9]\|1[0-2])-(0[1-9]\|[12]\\d\|3[01]))$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator: `^(?:(?:31(\\/\|-\|\\.)(?:0?[13578]\|1[02]\|(?:Jan\|Mar\|May\|Jul\|Aug\|Oct\|Dec)))\\1\|(?:(?:29\|30)(\\/\|-\|\\.)(?:0?[1,3-9]\|1[0-2]\|(?:Jan\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep\|Oct\|Nov\|Dec))\\2))(?:(?:1[6-9]\|[2-9]\\d)?\d{2})$\|^(?:29(\\/\|-\|\\.)(?:0?2\|(?:Feb))\\3(?:(?:(?:1[6-9]\|[2-9]\\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\\d\|2[0-8])(\\/\|-\|\\.)(?:(?:0?[1-9]\|(?:Jan\|Feb\|Mar\|Apr\|May\|Jun\|Jul\|Aug\|Sep))\|(?:1[0-2]\|(?:Oct\|Nov\|Dec)))\\4(?:(?:1[6-9]\|[2-9]\\d)?\\d{2})$` Date as DD-MM-YYYY, with `/`, `-`, or `.` as separator, checks for leap years: `^(?:(?:31(\\/\|-\|\\.)(?:0?[13578]\|1[02]))\\1\|(?:(?:29\|30)(\\/\|-\|\\.)(?:0?[1,3-9]\|1[0-2])\\2))(?:(?:1[6-9]\|[2-9]\\d)?\d{2})$\|^(?:29(\\/\|-\|\\.)0?2\\3(?:(?:(?:1[6-9]\|[2-9]\\d)?(?:0[48]\|[2468][048]\|[13579][26])\|(?:(?:16\|[2468][048]\|[3579][26])00))))$\|^(?:0?[1-9]\|1\\d\|2[0-8])(\\/\|-\|\\.)(?:(?:0?[1-9])\|(?:1[0-2]))\\4(?:(?:1[6-9]\|[2-9]\\d)?\\d{2})$` Time as HH:MM, 24-hour clock, leading 0: `^(0[0-9]\|1[0-9]\|2[0-3]):[0-5][0-9]$` Time as HH:MM, 12-hour clock, leading 0 optional, AM/PM: `^((1[0-2]\|0?[1-9]):([0-5][0-9]) ?([AaPp][Mm]))$` Time as HH:MM:SS, 24-hour clock: `^(?:[01]\\d\|2[0123]):(?:[012345]\\d):(?:[012345]\\d)$`
Duration	`^\d+:\d{2}:\d{2}$`	`^\\d+:\\d{2}:\\d{2}$`
Email address (common format)	`^([a-z0-9_\.-]+)@([\da-z\.-]+)\.([a-z\.]{2,5})$`	`^([a-z0-9_\\.-]+)@([\\da-z\\.-]+)\\.([a-z\\.]{2,5})$`
File	File path: `^((\/\|\\\|\/\/\|https?:\\\\\|https?:\/\/)[a-z0-9 _@\-^!#$%&+={}.\/\\\[\]]+)+\.[a-z]+$/` File name, with 3-letter extension: `^[\w,\s-]+\.[A-Za-z]{3}$`	File path: `^((\\/\|\\\\\|\\/\\/\|https?:\\\\\\\\\|https?:\\/\\/)[a-z0-9 _@\\-^!#$%&+={}.\\/\\\\\\[\\]]+)+\\.[a-z]+$/` File name, with 3-letter extension: `^[\\w,\\s-]+\\.[A-Za-z]{3}$`
IP address	IPv4: `^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])$` IPv6: ^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))$	IPv4: `^(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\\.){3}([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])$` IPv6: ^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))$
Numbers	Positive whole numbers: `^\d+$/` Negative and positive whole and decimal numbers: `^-?\d*(\.\d+)?$`	Positive whole numbers: `^\\d+$/` Negative and positive whole and decimal numbers: `^-?\\d*(\\.\\d+)?$`
Password constraints	Password that has: At least 10 but no more than 64 characters At least one digit At least one lowercase letter At least one uppercase letter At least one special character `^(?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[*.!@$%^&(){}[]:;<>,.?/~_+-=\|\]).{10,64}$`	`^(?=.[0-9])(?=.[a-z])(?=.[A-Z])(?=.[*.!@$%^&(){}[]:;<>,.?/~_+-=\|\\]).{10,64}$`
Phone number	International phone number, country code optional: `^(?:(?:$?(?:00\|\+)([1-4]\d\d\|[1-9]\d?)$?)?[\-\.\ \\\/]?)?((?:$?\d{1,}$?[\-\.\ \\\/]?){0,})(?:[\-\.\ \\\/]?(?:#\|ext\.?\|extension\|x)[\-\.\ \\\/]?(\d+))?$` Use libraries instead or regular expressions to validate phone numbers whenever possible.	`^(?:(?:\$?(?:00\|\\+)([1-4]\\d\\d\|[1-9]\\d?)\$?)?[\\-\\.\\ \\\\\\/]?)?((?:\$?\\d{1,}\$?[\\-\\.\\ \\\\\\/]?){0,})(?:[\\-\\.\\ \\\\\\/]?(?:#\|ext\\.?\|extension\|x)[\\-\\.\\ \\\\\\/]?(\\d+))?$`
URL/URI (with protocol optional)	`^(https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)$`	`^(https?:\\/\\/)?(www\\.)?[-a-zA-Z0-9@:%._\\+~#=]{2,256}\\.[a-z]{2,6}\\b([-a-zA-Z0-9@:%_\\+.~#?&//=]*)$`
UUID	`^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89AB][0-9a-f]{3}-[0-9a-f]{12}$`	—