String schema in a request has no maximum length defined

Description

A string schema does not specify the maximum length for the accepted strings.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "requestBody": {
            "description": "Pet to add to the store",
            "required": true,
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/NewPet"
                    }
                }
            }
        }
    },
    // ...
    "NewPet": {
        "type": "object",
        "description": "JSON defining a Pet object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string"
            }       
        }
    }
}

Possible exploit scenario

If you do not limit the length of strings, attackers can send longer strings to your API than what your backend server can handle. This could overload your backend server and make it crash. In some cases, this could cause a buffer overflow and allow for executing arbitrary code. Long strings are also more prone to injection attacks.

Remediation

Set the maxLength property in string schemas to ensure that only strings of the expected size get passed to your API:

{
    "post": {
        "description": "Creates a new pet in the store",
        "operationId": "addPet",
        "requestBody": {
            "description": "Pet to add to the store",
            "required": true,
            "content": {
                "application/json": {
                    "schema": {
                        "$ref": "#/components/schemas/NewPet"
                    }
                }
            }
        }
    },
    // ...
    "NewPet": {
        "type": "object",
        "description": "JSON defining a Pet object",
        "additionalProperties": false,
        "required": [
            "name"
        ],
        "properties": {
            "name": {
                "type": "string",
                "maxLength": 10,
                "pattern": "^[A-Za-z0-9]{3,10}$"
            }       
        }
    }
}

We also recommend that you specify a regular expression to further lock down the expected string format.

Remember to include the anchors ^ and $ in your regular expression, otherwise the overall length of the pattern could be considered infinite. If you include the anchors in the regular expression and the pattern only has fixed or constant quantifiers (like {10,64}, for example), you do not have to define the property maxLength separately for the object, as the length is fully constrained by the pattern. However, if the regular expression does not include the anchors or its quantifiers are not fixed (like in ^a.*b$), it can be considered to be just a part of a longer string and the property maxLength is required to constrain the length.

For more information on regular expressions, see the following:

Language-agnostic information on regular expressions at Base Definitions page on regular expressions
OWASP Validation Regex Repository
RegExr, an online tool for building and testing regular expressions

For examples on some of the common regulars expressions, see the full article.