search

zuplo / rate-my-openapi

https://ratemyopenapi.com
MIT License
20 stars 3 forks source link

Invalid OWASP API1:2019 detection #230

Open pcolmer opened 3 weeks ago

pcolmer commented 3 weeks ago

I have an API that specifies a query parameter like this:

        - in: query
          name: location_id
          description: Optional parameter to limit results to a given org or ou location
          example: org:91522ce0-e52f-47d8-b034-5f3664f740e4
          schema:
            oneOf: 
              - $ref: "#/components/schemas/org_id"
              - $ref: "#/components/schemas/ou_id"

where org_id is thus:

    org_id:
      type: string
      pattern: ^org\:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
      maxLength: 40
      minLength: 40
      example: org:91522ce0-e52f-47d8-b034-5f3664f740e4

and ou_id is thus:

    ou_id:
      type: string
      pattern: ^ou\:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$
      maxLength: 39
      minLength: 39
      example: ou:36e41ce2-9675-410d-ade0-ffcc3d8007f9

but this is being flagged up as a OWASP API1:2019 issue.

AdrianMachado commented 1 week ago

Hey @pcolmer - thanks for the feedback, I will look into this for you