Stop half-done APIs! Cherrybomb is a CLI tool that helps you avoid undefined user behaviour by auditing your API specifications, validating them and running API security tests.
│ ARRAY ATTRIBUTES ┆ "Info" ┆ Array schema without an item minimum ┆ swagger root path:/ method:GET response status:200 media type:application/json │
├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤
│ ARRAY ATTRIBUTES ┆ "Low" ┆ Array schema without an item maximum ┆ swagger root path:/ method:GET response status:200 media type:application/json │
Expected behavior
To not have those alerts
Describe the bug Haven't had a chance to fully play with the tool but the passive scan does not correctly detect min/max items in arrays correctly:
paths: /: get: summary: List items description: List all items. operationId: listItems responses: '200': description: success. content: application/json: schema: $ref: '#/components/schemas/ListReply' default: description: Unexpected error
components: schemas: ListReply: title: items type: array description: items list items: type: string description: item minItems: 0 maxItems: 10 uniqueItems: true
│ ARRAY ATTRIBUTES ┆ "Info" ┆ Array schema without an item minimum ┆ swagger root path:/ method:GET response status:200 media type:application/json │ ├╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┼╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌┤ │ ARRAY ATTRIBUTES ┆ "Low" ┆ Array schema without an item maximum ┆ swagger root path:/ method:GET response status:200 media type:application/json │ Expected behavior To not have those alerts
Additional context https://github.com/blst-security/cherrybomb/blob/main/cherrybomb-oas/src/legacy/schema.rs#L44 https://github.com/blst-security/cherrybomb/blob/main/cherrybomb-oas/src/legacy/schema.rs#L46
Item to Items