From 165794ecf2a746b1f86059f5ac324ac7d4c81c90 Mon Sep 17 00:00:00 2001 From: Phil Sturgeon <67381+philsturgeon@users.noreply.github.com> Date: Sun, 21 Jan 2024 18:26:07 +0100 Subject: [PATCH] fixes #21 and makes no-nimeric-ids support any string --- UPGRADE.md | 2 +- .../owasp-api1-2023-no-numeric-ids.test.ts | 64 +++++++++++++++++-- .../owasp-api4-2023-string-restricted.test.ts | 12 ++-- src/ruleset.ts | 13 ++-- 4 files changed, 70 insertions(+), 21 deletions(-) diff --git a/UPGRADE.md b/UPGRADE.md index 7721b4a..3c2fc50 100644 --- a/UPGRADE.md +++ b/UPGRADE.md @@ -25,7 +25,7 @@ - Renamed `owasp:api4:2019-rate-limit-responses-429` to `owasp:api4:2023-rate-limit-responses-429`. - Renamed `owasp:api4:2019-array-limit` to `owasp:api4:2023-array-limit`. - Renamed `owasp:api4:2019-string-limit` to `owasp:api4:2023-string-limit`. -- Renamed `owasp:api4:2019-string-restricted` to `owasp:api4:2023-string-restricted`. +- Renamed `owasp:api4:2019-string-restricted` to `owasp:api4:2023-string-restricted` and downgraded from `error` to `warn`. - Renamed `owasp:api4:2019-integer-limit` to `owasp:api4:2023-integer-limit`. - Renamed `owasp:api4:2019-integer-limit-legacy` to `owasp:api4:2023-integer-limit-legacy`. - Renamed `owasp:api4:2019-integer-format` to `owasp:api4:2023-integer-format`. diff --git a/__tests__/owasp-api1-2023-no-numeric-ids.test.ts b/__tests__/owasp-api1-2023-no-numeric-ids.test.ts index 9844d39..da5a204 100644 --- a/__tests__/owasp-api1-2023-no-numeric-ids.test.ts +++ b/__tests__/owasp-api1-2023-no-numeric-ids.test.ts @@ -3,7 +3,7 @@ import testRule from "./__helpers__/helper"; testRule("owasp:api1:2023-no-numeric-ids", [ { - name: "valid case", + name: "valid case: uuid", document: { openapi: "3.1.0", info: { version: "1.0" }, @@ -29,6 +29,60 @@ testRule("owasp:api1:2023-no-numeric-ids", [ errors: [], }, + { + name: "valid case: ulid", + document: { + openapi: "3.1.0", + info: { version: "1.0" }, + paths: { + "/foo/{id}": { + get: { + description: "get", + parameters: [ + { + name: "id", + in: "path", + required: true, + schema: { + type: "string", + format: "ulid", + }, + }, + ], + }, + }, + }, + }, + errors: [], + }, + + { + name: "valid case: random", + document: { + openapi: "3.1.0", + info: { version: "1.0" }, + paths: { + "/foo/{id}": { + get: { + description: "get", + parameters: [ + { + name: "id", + in: "path", + required: true, + schema: { + type: "string", + example: "sfdjkhjk24kd9s", + }, + }, + ], + }, + }, + }, + }, + errors: [], + }, + { name: "invalid if its an integer", document: { @@ -88,25 +142,25 @@ testRule("owasp:api1:2023-no-numeric-ids", [ errors: [ { message: - "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.", + "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.", path: ["paths", "/foo/{id}", "get", "parameters", "0", "schema"], severity: DiagnosticSeverity.Error, }, { message: - "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.", + "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.", path: ["paths", "/foo/{id}", "get", "parameters", "2", "schema"], severity: DiagnosticSeverity.Error, }, { message: - "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.", + "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.", path: ["paths", "/foo/{id}", "get", "parameters", "3", "schema"], severity: DiagnosticSeverity.Error, }, { message: - "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.", + "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.", path: ["paths", "/foo/{id}", "get", "parameters", "4", "schema"], severity: DiagnosticSeverity.Error, }, diff --git a/__tests__/owasp-api4-2023-string-restricted.test.ts b/__tests__/owasp-api4-2023-string-restricted.test.ts index db780f8..cfe198c 100644 --- a/__tests__/owasp-api4-2023-string-restricted.test.ts +++ b/__tests__/owasp-api4-2023-string-restricted.test.ts @@ -167,9 +167,9 @@ testRule("owasp:api4:2023-string-restricted", [ errors: [ { message: - "Schema of type string must specify a format, pattern, enum, or const.", + "Schema of type string should specify a format, pattern, enum, or const.", path: ["definitions", "Foo"], - severity: DiagnosticSeverity.Error, + severity: DiagnosticSeverity.Warning, }, ], }, @@ -194,15 +194,15 @@ testRule("owasp:api4:2023-string-restricted", [ errors: [ { message: - "Schema of type string must specify a format, pattern, enum, or const.", + "Schema of type string should specify a format, pattern, enum, or const.", path: ["components", "schemas", "Foo"], - severity: DiagnosticSeverity.Error, + severity: DiagnosticSeverity.Warning, }, { message: - "Schema of type string must specify a format, pattern, enum, or const.", + "Schema of type string should specify a format, pattern, enum, or const.", path: ["components", "schemas", "Bar"], - severity: DiagnosticSeverity.Error, + severity: DiagnosticSeverity.Warning, }, ], }, diff --git a/src/ruleset.ts b/src/ruleset.ts index c6f041c..052b976 100644 --- a/src/ruleset.ts +++ b/src/ruleset.ts @@ -103,7 +103,7 @@ export default { */ "owasp:api1:2023-no-numeric-ids": { description: - "OWASP API1:2019 - Use random IDs that cannot be guessed. UUIDs are preferred.", + "Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.", severity: DiagnosticSeverity.Error, given: '$.paths..parameters[*][?(@property === "name" && (@ === "id" || @.match(/(_id|Id|-id)$/)))]^.schema', @@ -119,11 +119,6 @@ export default { }, }, }, - properties: { - format: { - const: "uuid", - }, - }, }, }, }, @@ -558,10 +553,10 @@ export default { */ "owasp:api4:2023-string-restricted": { message: - "Schema of type string must specify a format, pattern, enum, or const.", + "Schema of type string should specify a format, pattern, enum, or const.", description: - "To avoid unexpected values being sent or leaked, ensure that strings have either a `format`, RegEx `pattern`, `enum`, or `const`.", - severity: DiagnosticSeverity.Error, + "To avoid unexpected values being sent or leaked, strings should have a `format`, RegEx `pattern`, `enum`, or `const`.", + severity: DiagnosticSeverity.Warning, given: "#StringProperties", then: { function: schema,