Pattern of the string schema does not match the 'minLength' or 'maxLength' properties
Issue ID: v3-schema-string-pattern-incompatible
Average severity: Medium
This issue ID and article have been deprecated and will be removed.
Description
Some string parameters in your API define patterns that do not match the properties minLength
or maxLength
defined for the string.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition. The string defines a pattern but the maximum length allowed in the pattern is shorter than the required minLength
of the same string:
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/NewPet"
}
}
}
}
},
// ...
"NewPet": {
"type": "object",
"description": "JSON defining a Pet object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z]{3,10}$",
"minLength": 25
}
}
}
}
Or the pattern could require longer strings than maxLength
allows:
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/NewPet"
}
}
}
}
},
// ...
"NewPet": {
"type": "object",
"description": "JSON defining a Pet object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z]{5,10}$",
"maxLength": 3
}
}
}
}
Possible exploit scenario
If the lengths defined in the pattern conflict with minLength
or maxLength
and input and output validation is properly enforced, no strings are accepted and API calls inevitably fail.
If API calls are still accepted, this implies that validation for the pattern or string length — or both — is not properly enforced, which is a sign that input validation is not done properly in the backend implementation of the API.
Example
Make sure that the patterns you define for strings do not conflict with the minLength
or maxLength
properties.
{
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"requestBody": {
"description": "Pet to add to the store",
"required": true,
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/NewPet"
}
}
}
}
},
// ...
"NewPet": {
"type": "object",
"description": "JSON defining a Pet object",
"additionalProperties": false,
"required": [
"name"
],
"properties": {
"name": {
"type": "string",
"pattern": "^[a-z]{3,10}$",
"minLength": 3,
"maxLength": 10
}
}
}
}