Unrestricted string

owasp:api4:2019-string-restricted

Rule Severity:

High

Ensure APIs that process strings have a format, RegEx pattern, enum, or `const defined in their scheme.
This rule applies at the API Specification level (OAS/Swagger).
Expecting a specific structure for incoming or outgoing strings is a form of input and output validation. The more stringent the validation, the less likely unintended values can be injected or leaked.
A string is a data type. Format relates to the structure and rules of the string. A regex pattern is a sequence of characters that define a search pattern. An Enum is a data type that consists of a fixed set of named values. Const is used to define values that should remain fixed.

Example Attack Scenario

Injection Attacks: Attackers can potentially exploit unrestricted string inputs to perform various injection attacks, such as SQL injection, NoSQL injection, or command injection. As a result of inserting malicious code or commands into the string input, attackers can manipulate the behavior of the system and even potentially gain unauthorized access, extract sensitive data, or run commands on the underlying system.

1. How to Identify with Example Scenario

schemas:
 Myobj:
  type: string

1. How to Resolve with Example Scenario

schemas:
 Myobj:
  type: string
  format: email

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings