Missing array limit

owasp:api4:2019-array-limit

Rule Severity:

Info

Endpoints ingesting arrays should specify a limit to the number of objects in the array to ensure the availability of the service to all users.
This rule applies at the API Specification level (OAS/Swagger).
Using OpenAPI Spec to limit the number of items an endpoint can receive in an array is a form of rate limiting. Using the 'maxItems' keyword in array schemes will help prevent denial of service (DoS) attacks.
Resource limiting is a standard practice to ensure that services remain available and that they're not easily susceptible to attacks or overuse. One type of attack vector is sending extremely large payloads to an API endpoint, which can cause outages, slow down processing, or even potentially crash systems. OpenAPI Specification allows for the use of the maxItems keyword to define and limit the data structures that an API endpoint expecting arrays accepts. Enforcing limits in such a way will prevent an API consumer from sending more items than a service allows. The limits can act as a barrier to protect your service: If someone is trying to flood your service with unusually large payloads. Schema limits are useful for API documentation and client-side validation, but they should not be the only line of defense. Always ensure that backend implementation also enforces the specified limits.

Example Attack Scenario

Authentication Bypass: If the API relies on arrays for authentication or authorization checks, attackers might exploit a missing array limit to bypass these controls, gaining unauthorized access to restricted resources or performing actions they shouldn't be allowed to.

1. How to Identify with Example Scenario

type: 
 arrayitems:   
  type: integer     
  # arbitrary item type   
  minItems: 1     
  # missing 'maxItems' keyword definition

1. How to Resolve with Example Scenario

type: 
 arrayitems:   
  type: integer
  # arbitrary item type   
  minItems: 1    
  # arbitrary minimum number of items   
  maxItems: 10     
  # arbitrary maximum number of items

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/data-models/data-types/#array

More findings

All Findings