Skip to content

Commit

Permalink
how about this, additionalProperties must be defined, either false or…
Browse files Browse the repository at this point in the history
… subschema.
  • Loading branch information
philsturgeon committed Jan 3, 2023
1 parent 394c1ae commit 2c74abf
Showing 1 changed file with 9 additions and 11 deletions.
20 changes: 9 additions & 11 deletions src/ruleset.ts
Original file line number Diff line number Diff line change
Expand Up @@ -653,17 +653,16 @@ export default {
*/
"owasp:api6:2019-no-additionalProperties": {
message:
"additionalProperties is disabled by default in OAS3.0, and should not be enabled.",
"additionalProperties is enabled by default in OAS3.0, and should be disabled.",
description:
"OpenAPI v3.0 allows additional properties but is disabled by default. This feature should not be enabled as it can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `additionalProperties: false` or add `maxProperties`.",
"Additional properties are enabled by default in modern OpenAPI and JSON Schema as it helps keep your API forwards compatible, but it can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable additional properties explicitly with `additionalProperties: false`.",
severity: DiagnosticSeverity.Warning,
formats: [oas3_0],
given:
'$..[?(@ && @.type=="object" && @.additionalProperties && @.additionalProperties.type != "object" )]',
formats: [oas3],
given: '$..[?(@ && @.type=="object")]',
then: [
{
field: "additionalProperties",
function: falsy,
function: defined,
},
],
},
Expand All @@ -675,10 +674,10 @@ export default {
"owasp:api6:2019-constrained-additionalProperties": {
message: "Objects should not allow unconstrained additionalProperties.",
description:
"By default OpenAPI v3.1 enables additionalProperties. This feature should be turned off as it can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Alternatively it could be constrained with `maxProperties`",
"Additional properties are enabled by default in modern OpenAPI and JSON Schema as it helps keep your API forwards compatible, but it can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable additional properties explicitly with `additionalProperties: false`, or constrain the additional properties by providing a schema for their validation: `additionalProperties: { type: ... } }`.",
severity: DiagnosticSeverity.Warning,
formats: [oas3_1],
given: '$..[?(@ && @.type=="object")]',
formats: [oas3],
given: '$..[?(@ && @.type=="object" && @.additionalProperties )]',
then: [
{
function: schema,
Expand All @@ -690,12 +689,11 @@ export default {
const: false,
},
},
// or it is constrained with maxProperties
// or it is constrained with a sub-schema
{
additionalProperties: {
type: "object",
},
required: ["maxProperties"],
},
],
},
Expand Down

0 comments on commit 2c74abf

Please sign in to comment.