Relative URL in $.servers.url treated as an error

[karelhusa]

Relative URLs in OpenAPI 3

Servers declaration in OpenAPI 3 allows setting relative paths, see https://swagger.io/docs/specification/api-host-and-base-path/ .

Though, in the security audit, it's treated as a problem: The url property '/relative/path' of the Server object must be an absolute URL

Relative URL should not be considered an security issue, especially in API design time. Or, is there any reason for it?

[ak1394]

Hi Karel! There should be more detailed description of the issue in the report, along the lines of:

The Open API Specification (OAS) states that a server object may have a relative URL but that this indicates that the host location is relative to the location where the OpenAPI document is being served. Because API definitions are uploaded to 42Crunch Platform, not retrieved from URLs, Security Audit cannot infer the host location and thus relative URLs are not acceptable

Additionally, I believe it's easy to forget to update server.url when moving API from dev to production if the issue is not flagged at the development time.

[karelhusa]

Anton, I understand your point, though I would lower the severity to a warning or even to info.

I rarely fill the URL hostname in API design, since this is usually part of the deployment configuration, especially in the DevOps pipeline.

Such a check would make good sense to me in published (production) API definitions, but not in design time.

[ak1394]

I'll pass your comments to the team that works on 42Crunch Security Audit (the service that this extension uses to audit OAS) and update this ticket once I hear from them.