fixes #21 and makes no-nimeric-ids support any string

stoplightio · Jan 21, 2024 · 165794e · 165794e
1 parent 2622b28
commit 165794e
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 21 deletions.
diff --git a/UPGRADE.md b/UPGRADE.md
@@ -25,7 +25,7 @@
 - Renamed `owasp:api4:2019-rate-limit-responses-429` to `owasp:api4:2023-rate-limit-responses-429`.
 - Renamed `owasp:api4:2019-array-limit` to `owasp:api4:2023-array-limit`.
 - Renamed `owasp:api4:2019-string-limit` to `owasp:api4:2023-string-limit`.
-- Renamed `owasp:api4:2019-string-restricted` to `owasp:api4:2023-string-restricted`.
+- Renamed `owasp:api4:2019-string-restricted` to `owasp:api4:2023-string-restricted` and downgraded from `error` to `warn`.
 - Renamed `owasp:api4:2019-integer-limit` to `owasp:api4:2023-integer-limit`.
 - Renamed `owasp:api4:2019-integer-limit-legacy` to `owasp:api4:2023-integer-limit-legacy`.
 - Renamed `owasp:api4:2019-integer-format` to `owasp:api4:2023-integer-format`.

diff --git a/__tests__/owasp-api1-2023-no-numeric-ids.test.ts b/__tests__/owasp-api1-2023-no-numeric-ids.test.ts
@@ -3,7 +3,7 @@ import testRule from "./__helpers__/helper";
 
 testRule("owasp:api1:2023-no-numeric-ids", [
   {
-    name: "valid case",
+    name: "valid case: uuid",
     document: {
       openapi: "3.1.0",
       info: { version: "1.0" },
@@ -29,6 +29,60 @@ testRule("owasp:api1:2023-no-numeric-ids", [
     errors: [],
   },
 
+  {
+    name: "valid case: ulid",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/foo/{id}": {
+          get: {
+            description: "get",
+            parameters: [
+              {
+                name: "id",
+                in: "path",
+                required: true,
+                schema: {
+                  type: "string",
+                  format: "ulid",
+                },
+              },
+            ],
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
+  {
+    name: "valid case: random",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/foo/{id}": {
+          get: {
+            description: "get",
+            parameters: [
+              {
+                name: "id",
+                in: "path",
+                required: true,
+                schema: {
+                  type: "string",
+                  example: "sfdjkhjk24kd9s",
+                },
+              },
+            ],
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
   {
     name: "invalid if its an integer",
     document: {
@@ -88,25 +142,25 @@ testRule("owasp:api1:2023-no-numeric-ids", [
     errors: [
       {
         message:
-          "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.",
+          "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.",
         path: ["paths", "/foo/{id}", "get", "parameters", "0", "schema"],
         severity: DiagnosticSeverity.Error,
       },
       {
         message:
-          "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.",
+          "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.",
         path: ["paths", "/foo/{id}", "get", "parameters", "2", "schema"],
         severity: DiagnosticSeverity.Error,
       },
       {
         message:
-          "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.",
+          "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.",
         path: ["paths", "/foo/{id}", "get", "parameters", "3", "schema"],
         severity: DiagnosticSeverity.Error,
       },
       {
         message:
-          "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.",
+          "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.",
         path: ["paths", "/foo/{id}", "get", "parameters", "4", "schema"],
         severity: DiagnosticSeverity.Error,
       },

diff --git a/__tests__/owasp-api4-2023-string-restricted.test.ts b/__tests__/owasp-api4-2023-string-restricted.test.ts
@@ -167,9 +167,9 @@ testRule("owasp:api4:2023-string-restricted", [
     errors: [
       {
         message:
-          "Schema of type string must specify a format, pattern, enum, or const.",
+          "Schema of type string should specify a format, pattern, enum, or const.",
         path: ["definitions", "Foo"],
-        severity: DiagnosticSeverity.Error,
+        severity: DiagnosticSeverity.Warning,
       },
     ],
   },
@@ -194,15 +194,15 @@ testRule("owasp:api4:2023-string-restricted", [
     errors: [
       {
         message:
-          "Schema of type string must specify a format, pattern, enum, or const.",
+          "Schema of type string should specify a format, pattern, enum, or const.",
         path: ["components", "schemas", "Foo"],
-        severity: DiagnosticSeverity.Error,
+        severity: DiagnosticSeverity.Warning,
       },
       {
         message:
-          "Schema of type string must specify a format, pattern, enum, or const.",
+          "Schema of type string should specify a format, pattern, enum, or const.",
         path: ["components", "schemas", "Bar"],
-        severity: DiagnosticSeverity.Error,
+        severity: DiagnosticSeverity.Warning,
       },
     ],
   },

diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -103,7 +103,7 @@ export default {
      */
     "owasp:api1:2023-no-numeric-ids": {
       description:
-        "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.",
+        "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.",
       severity: DiagnosticSeverity.Error,
       given:
         '$.paths..parameters[*][?(@property === "name" && (@ === "id" || @.match(/(_id|Id|-id)$/)))]^.schema',
@@ -119,11 +119,6 @@ export default {
                 },
               },
             },
-            properties: {
-              format: {
-                const: "uuid",
-              },
-            },
           },
         },
       },
@@ -558,10 +553,10 @@ export default {
      */
     "owasp:api4:2023-string-restricted": {
       message:
-        "Schema of type string must specify a format, pattern, enum, or const.",
+        "Schema of type string should specify a format, pattern, enum, or const.",
       description:
-        "To avoid unexpected values being sent or leaked, ensure that strings have either a `format`, RegEx `pattern`, `enum`, or `const`.",
-      severity: DiagnosticSeverity.Error,
+        "To avoid unexpected values being sent or leaked, strings should have a `format`, RegEx `pattern`, `enum`, or `const`.",
+      severity: DiagnosticSeverity.Warning,
       given: "#StringProperties",
       then: {
         function: schema,