Skip to content

Commit

Permalink
add unevaluatedproperties rule for OAS 3.1
Browse files Browse the repository at this point in the history
  • Loading branch information
philsturgeon committed Jan 21, 2024
1 parent f6b9e69 commit 9b1a0cb
Show file tree
Hide file tree
Showing 2 changed files with 101 additions and 59 deletions.
9 changes: 9 additions & 0 deletions UPGRADE.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,3 +2,12 @@
- Renamed `owasp:api3:2019-define-error-validation` to `owasp:api8:2023-define-error-validation`
- Renamed `owasp:api3:2019-define-error-responses-401` to `owasp:api8:2023-define-error-responses-401`
- Renamed `owasp:api3:2019-define-error-responses-500` to `owasp:api8:2023-define-error-responses-500`


- Removed `owasp:api6:2019-no-additionalProperties` to `owasp:api3:2023-no-additionalProperties` limited them to only run on OAS 3.0.
- Removed `owasp:api6:2019-constrained-additionalProperties` to `owasp:api3:2023-constrained-additionalProperties` limited them to only run on OAS 3.0.

## Added

- New `owasp:api3:2023-no-unevaluatedProperties` (will only run on OAS 3.1 and newer.)
- New `owasp:api3:2023-constrained-unevaluatedProperties` (will only run on OAS 3.1 and newer.)
151 changes: 92 additions & 59 deletions src/ruleset.ts
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ import checkSecurity from "./functions/checkSecurity";
- Name change only for "API4:2019 Lack of Resources & Rate Limiting" to "API4:2023 Unrestricted Resource Consumption
- Demote "API6:2019 — Mass assignment" as its no longer relevant and the rules were not ideal.
- New "API6:2023 - Unrestricted Access to Sensitive Business Flows" (not sure any of these are possible)
https://owasp.org/API-Security/editions/2023/en/0xa6-unrestricted-access-to-sensitive-business-flows/
Expand Down Expand Up @@ -359,23 +357,103 @@ export default {
},

/**
* API3:2019 — Excessive data exposure
* API3:2023 Broken Object Property Level Authorization
*
* Use case
* - ❌ The API returns full data objects as they are stored in the backend database.
* - ❌ The client application filters the responses and only shows the data that the users really need to see.
* - ❌ Attackers call the API directly and get also the sensitive data that the UI would filter out.
* - ❌ APIs expose endpoints that return all object’s properties.
* - ❌ Inspecting API responses is enough to identify sensitive information in returned objects’ representations. Fuzzing is usually used to identify additional (hidden) properties. Whether they can be changed is a matter of crafting an API request and analyzing the response. Side-effect analysis may be required if the target property is not returned in the API response.
* - ❌ Unauthorized access to private/sensitive object properties may result in data disclosure, data loss, or data corruption. Under certain circumstances, unauthorized access to object properties can lead to privilege escalation or partial/full account takeover.
* - 🟠 The API endpoint exposes properties of an object that are considered sensitive and should not be read by the user.
* - ✅ The API endpoint allows a user to change, add/or delete the value of a sensitive object's property which the user should not be able to access
*
* How to prevent
* - ❌ Never rely on the client to filter data!
* - ❌ Review all API responses and adapt them to match what the API consumers really need.
* - ❌ Carefully define schemas for all the API responses.
* - ✅ Do not forget about error responses, define proper schemas as well.
* - ✅ Do not allowed additionalProperties in objects.
* - 🟠 Carefully define schemas for all the API responses.
* - 🟠 Identify all the sensitive data or Personally Identifiable Information (PII), and justify its use.
* https://github.com/stoplightio/spectral-owasp-ruleset/issues/11
* - ❌ Enforce response checks to prevent accidental leaks of data or exceptions.
*/

/**
* @author: Roberto Polli <https://github.com/ioggstream>
* @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
*/
"owasp:api3:2023-no-additionalProperties": {
message:
"If the additionalProperties keyword is used it must be set to false.",
description:
"By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `additionalProperties: false` or add `maxProperties`.",
severity: DiagnosticSeverity.Warning,
formats: [oas3_0],
given: '$..[?(@ && @.type=="object" && @.additionalProperties)]',
then: [
{
field: "additionalProperties",
function: falsy,
},
],
},

/**
* @author: Roberto Polli <https://github.com/ioggstream>
* @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
*/
"owasp:api3:2023-constrained-additionalProperties": {
message: "Objects should not allow unconstrained additionalProperties.",
description:
"By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `additionalProperties: false` or add `maxProperties`",
severity: DiagnosticSeverity.Warning,
formats: [oas3_0],
given:
'$..[?(@ && @.type=="object" && @.additionalProperties && @.additionalProperties!=true && @.additionalProperties!=false )]',
then: [
{
field: "maxProperties",
function: defined,
},
],
},

/**
* @author: Roberto Polli <https://github.com/ioggstream>
* @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
*/
"owasp:api3:2023-no-unevaluatedProperties": {
message:
"If the unevaluatedProperties keyword is used it must be set to false.",
description:
"By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `unevaluatedProperties: false` or add `maxProperties`.",
severity: DiagnosticSeverity.Warning,
formats: [oas3_0],
given: '$..[?(@ && @.type=="object" && @.unevaluatedProperties)]',
then: [
{
field: "unevaluatedProperties",
function: falsy,
},
],
},

/**
* @author: Roberto Polli <https://github.com/ioggstream>
* @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
*/
"owasp:api3:2023-constrained-unevaluatedProperties": {
message: "Objects should not allow unconstrained unevaluatedProperties.",
description:
"By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `unevaluatedProperties: false` or add `maxProperties`",
severity: DiagnosticSeverity.Warning,
formats: [oas3_0],
given:
'$..[?(@ && @.type=="object" && @.unevaluatedProperties && @.unevaluatedProperties!=true && @.unevaluatedProperties!=false )]',
then: [
{
field: "maxProperties",
function: defined,
},
],
},

/**
* API4:2019 — Lack of resources and rate limiting
*
Expand Down Expand Up @@ -619,62 +697,17 @@ export default {
// TODO: Check for /admin/ in the path and see if its the same securityScheme as non admin paths.

/**
* API6:2019 — Mass assignment
* API6:2023 —
*
*
* The API takes data that client provides and stores it without proper filtering for safelisted properties. Attackers can try to guess object properties or provide additional object properties in their requests, read the documentation, or check out API endpoints for clues where to find the openings to modify properties they are not supposed to on the data objects stored in the backend.
*
* Use case
*
* - ❌ The API works with the data structures without proper filtering.
* - ❌ Received payload is blindly transformed into an object and stored.
* - ❌ Attackers can guess the fields by looking at the GET request data.
* - ❌
*
* How to prevent
* - ❌ Do not automatically bind incoming data and internal objects.
* - ✅ Explicitly define all the parameters and payloads you are expecting.
* - 🟠 Use the readOnly property set to true in object schemas for all properties that can be retrieved through APIs but should never be modified.
* - ❌ Precisely define the schemas, types, and patterns you will accept in requests at design time and enforce them at runtime.
*/

/**
* @author: Roberto Polli <https://github.com/ioggstream>
* @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
*/
"owasp:api6:2019-no-additionalProperties": {
message:
"If the additionalProperties keyword is used it must be set to false.",
description:
"By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `additionalProperties: false` or add `maxProperties`.",
severity: DiagnosticSeverity.Warning,
formats: [oas3],
given: '$..[?(@ && @.type=="object" && @.additionalProperties)]',
then: [
{
field: "additionalProperties",
function: falsy,
},
],
},

/**
* @author: Roberto Polli <https://github.com/ioggstream>
* @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
* - ❌
*/
"owasp:api6:2019-constrained-additionalProperties": {
message: "Objects should not allow unconstrained additionalProperties.",
description:
"By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `additionalProperties: false` or add `maxProperties`",
severity: DiagnosticSeverity.Warning,
formats: [oas3],
given:
'$..[?(@ && @.type=="object" && @.additionalProperties && @.additionalProperties!=true && @.additionalProperties!=false )]',
then: [
{
field: "maxProperties",
function: defined,
},
],
},

/**
* API8:2019 — Security misconfiguration
Expand Down

0 comments on commit 9b1a0cb

Please sign in to comment.