search

Checkmarx / kics

Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx.
https://kics.io
Apache License 2.0
2.03k stars 298 forks source link

bug(openapi): false positive - wrongly required `items` for string type #7020

Open UncleGoogle opened 5 months ago

UncleGoogle commented 5 months ago

In the openapi v2 docs we can see this

Required if type is "array"

so in this example parameters are valid (talking about "inner" itemes"):

openapi: 3.0.3
paths:
  /v1/sourceTypes:
    delete:
      description: 'XXX'
      tags:
      - data_sources
      - v1
      produces:
      - application/json
      consumes:
      - application/json
      parameters:
      - name: ids
        in: query
        required: true
        type: array
        items:
          type: string
        description: ''
      responses:
        200:
          description: Successful Response
          schema:
            type: string
          headers: {}

Expected Behavior

No error

Actual Behavior

error 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 is raised with descriprtion:

            "name": "OpenAPI Object should contain all of its required fields",
            "description": "items is missing required fields",

Specifications

gabriel-cx commented 4 months ago

Hi @UncleGoogle ,

Thank you for your inputs! Our internal AppSec team will check it soon. We will keep you updated.

(APPSEC-2558)

gabriel-cx commented 4 months ago

@UncleGoogle KICS is not scanning the code sample you provided, seems like it's an invalid one (we also checked it by using this tool). Kindly provide a valid openapi file so we can have a better look into it.

UncleGoogle commented 4 months ago

Hi @gabriel-cx . Sure, I've extracted full example:

swagger: '2.0'
info:
  title: Example API
  version: '1.0'
schemes:
- https
produces:
- application/json
paths:
  /v1/dataSourceTypes:
    get:
      tags:
      - data_sources
      parameters:
      - name: limit
        in: query
        required: false
        default: 300
        type: integer
        format: int32
        description: ''
      - name: offset
        in: query
        required: false
        type: integer
        format: int32
        description: ''
      - name: order_field
        in: query
        required: false
        type: string
        description: ''
      - name: order_direction
        in: query
        required: false
        enum:
        - ASC
        - DESC
        type: string
        description: ''
      responses:
        200:
          description: Successful Response
          schema:
            type: string
          headers: {}
        408:
          description: Backend call time-out
          schema:
            type: string
          headers: {}
    delete:
      tags:
      - data_sources
      deprecated: false
      produces:
      - application/json
      consumes:
      - application/json
      parameters:
      - name: ids
        in: query
        required: true
        type: array
        items:
          type: string
        description: ''
      - name: recursive
        in: query
        required: false
        type: boolean
        description: ''
      responses:
        200:
          description: Successful Response
          schema:
            type: string
          headers: {}
        404:
          description: DataSource ID not found
          schema:
            type: string
          headers: {}
        408:
          description: Backend call time-out
          schema:
            type: string
          headers: {}
gabriel-cx commented 4 months ago

Hi @UncleGoogle ,

Thank you!! We will analyze your inputs and we will keep you updated.