forked from italia/api-oas-checker
-
Notifications
You must be signed in to change notification settings - Fork 1
/
objects.yml
74 lines (68 loc) · 2.03 KB
/
objects.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
rules:
sec-no-additionalProperties: &object-constraints
description: |-
By default, jsonschema allows additionalProperties. This means
that schema validators can be bypassed using further, unspecified
fields.
While forbidding additionalProperties can create rigidity and hinder
the evolution of an API - eg making it hard to accept new parameters
or fields - it is possible that this flexibility can be used
to bypass the schema validator and force the application to process
unwanted information.
Disable `additionalProperties` with `false`
```
Person:
type: object
additionalProperties: false
properties:
given_name:
type: string
pattern: [a-zA-Z ]{24}
```
Or constraint them using `maxProperties`
```
Person:
type: object
additionalProperties:
type: string
pattern: /+39[0-9]{,14}/
maxProperties: 3
properties:
given_name:
type: string
pattern: [a-zA-Z ]{24}
```
- no additionalProperties
- constrained additionalProperties
message: >-
Objects should not allow additionalProperties.
Disable them with `additionalProperties: false` or constraint them.
formats:
- oas3
severity: warn
recommended: true
given:
- >-
$.[?(@.type=="object" && @.additionalProperties==true)]
then:
- field: additionalProperties
function: falsy
sec-no-default-additionalProperties:
<<: *object-constraints
given:
- >-
$.[?(@.type=="object" && ! @.additionalProperties)]
then:
- field: additionalProperties
function: defined
sec-constrained-additionalProperties:
<<: *object-constraints
given:
- >-
$.[?(@.type=="object" && @.additionalProperties
&& @.additionalProperties!=true
&& @.additionalProperties!=false
)]
then:
- field: maxProperties
function: defined