forked from italia/api-oas-checker
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsecuritySchemes_insecure.yml
61 lines (57 loc) · 1.5 KB
/
securitySchemes_insecure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
rules:
sec-apikeys-cookie: &sec-apikeys-cookie
description: |-
API Keys are (usually opaque) strings that
are passed in headers, cookies or query parameters
to access APIs.
Those keys can be eavesdropped, especially when they are stored
in cookies or passed as URL parameters.
```
security:
- ApiKey: []
paths:
/books: {}
/users: {}
securitySchemes:
ApiKey:
type: apiKey
in: cookie
name: X-Api-Key
```
message: >-
ApiKey stored in cookie or passed in URL: {{error}}.
formats:
- oas3
severity: error
recommended: true
given:
- >-
$.[securitySchemes][?(@.type=="apiKey")].in
then:
- function: pattern
functionOptions:
notMatch: >-
^(cookie)$
sec-auth-insecure-schemes:
description: |-
The http authorization type in OAS supports
all the schemes defined in the associated
[IANA table](https://www.iana.org/assignments/http-authschemes/).
Some of those schemes are
now considered insecure, such as
negotiating authentication using specifications
like NTLM or OAuth v1.
message: >-
Authentication scheme is insecure: {{error}}
formats:
- oas3
recommended: true
severity: error
given:
- >-
$.[securitySchemes][?(@.type=="http")].scheme
then:
- function: pattern
functionOptions:
notMatch: >-
^(negotiate|oauth)$