Skip to content

Commit

Permalink
Change oneOf to anyOf schema in owasp:api4:2019-string-restricted…
Browse files Browse the repository at this point in the history
… and owasp:api4:2019-string-limit (#43)

* Change `oneOf` to `anyOf` schema in owasp:api4:2019-string-restricted

The use of `oneOf` means that _only_ one of the schema constraints may be true,
but it is valid if two or more of the string schema constraint keywords
are present: `format`, `pattern`, `enum`, `const`.

* Change `oneOf` to `anyOf` schema in owasp:api4:2019-string-limit

Similar as with `2019-string-restricted`: the schema check should be
`anyOf` instead of `oneOf` in case a schema has more than one of the
keywords.
  • Loading branch information
DavidBiesack authored May 17, 2023
1 parent 2fd49c3 commit 343043b
Show file tree
Hide file tree
Showing 3 changed files with 67 additions and 10 deletions.
50 changes: 44 additions & 6 deletions __tests__/owasp-api4-2019-string-limit.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ testRule("owasp:api4:2019-string-limit", [
errors: [],
},


{
name: "valid case: oas3.0",
document: {
Expand All @@ -61,7 +60,24 @@ testRule("owasp:api4:2019-string-limit", [
schemas: {
Foo: {
type: "string",
enum: [ "a", "b", "c" ]
enum: ["a", "b", "c"],
},
},
},
},
errors: [],
},

{
name: "valid case: oas3.1",
document: {
openapi: "3.1.0",
info: { version: "1.0" },
components: {
schemas: {
Foo: {
type: "string",
const: "constant",
},
},
},
Expand All @@ -78,7 +94,26 @@ testRule("owasp:api4:2019-string-limit", [
schemas: {
Foo: {
type: "string",
const: "constant"
const: "constant",
},
},
},
},
errors: [],
},

{
name: "valid case: pattern and maxLength, oas3.1",
document: {
openapi: "3.1.0",
info: { version: "1.0" },
components: {
schemas: {
Foo: {
type: "string",
format: "hex",
pattern: "^[0-9a-fA-F]+$",
maxLength: 16
},
},
},
Expand All @@ -99,7 +134,8 @@ testRule("owasp:api4:2019-string-limit", [
},
errors: [
{
message: "Schema of type string must specify maxLength, enum, or const.",
message:
"Schema of type string must specify maxLength, enum, or const.",
path: ["definitions", "Foo"],
severity: DiagnosticSeverity.Error,
},
Expand All @@ -121,7 +157,8 @@ testRule("owasp:api4:2019-string-limit", [
},
errors: [
{
message: "Schema of type string must specify maxLength, enum, or const.",
message:
"Schema of type string must specify maxLength, enum, or const.",
path: ["components", "schemas", "Foo"],
severity: DiagnosticSeverity.Error,
},
Expand All @@ -142,7 +179,8 @@ testRule("owasp:api4:2019-string-limit", [
},
errors: [
{
message: "Schema of type string must specify maxLength, enum, or const.",
message:
"Schema of type string must specify maxLength, enum, or const.",
path: ["components", "schemas", "Foo"],
severity: DiagnosticSeverity.Error,
},
Expand Down
21 changes: 20 additions & 1 deletion __tests__/owasp-api4-2019-string-restricted.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ testRule("owasp:api4:2019-string-restricted", [
},

{
name: "valid case: format (oas3)",
name: "valid case: pattern (oas3)",
document: {
openapi: "3.0.0",
info: { version: "1.0" },
Expand Down Expand Up @@ -117,6 +117,25 @@ testRule("owasp:api4:2019-string-restricted", [
errors: [],
},

{
name: "valid case: format + pattern (oas3.1)",
document: {
openapi: "3.1.0",
info: { version: "1.0" },
components: {
schemas: {
foo: {
type: "string",
format: "hex",
pattern: "^[0-9a-fA-F]+$",
maxLength: 16
},
},
},
},
errors: [],
},

{
name: "valid case: const (oas3.1)",
document: {
Expand Down
6 changes: 3 additions & 3 deletions src/ruleset.ts
Original file line number Diff line number Diff line change
Expand Up @@ -529,7 +529,7 @@ export default {
functionOptions: {
schema: {
type: "object",
oneOf: [
anyOf: [
{
required: ["maxLength"],
},
Expand All @@ -551,15 +551,15 @@ export default {
"owasp:api4:2019-string-restricted": {
message: "Schema of type string must specify a format, pattern, enum, or const.",
description:
"To avoid unexpected values being sent or leaked, ensure that strings have either a format or a RegEx pattern. This can be done using `format`, `pattern`, `enum` or `const`.",
"To avoid unexpected values being sent or leaked, ensure that strings have either a `format`, RegEx `pattern`, `enum`, or `const`.",
severity: DiagnosticSeverity.Error,
given: "#StringProperties",
then: {
function: schema,
functionOptions: {
schema: {
type: "object",
oneOf: [
anyOf: [
{
required: ["format"],
},
Expand Down

0 comments on commit 343043b

Please sign in to comment.