kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

bug(openapi): false positive - wrongly required `items` for string type

Open UncleGoogle opened this issue 10 months ago • 4 comments

In the openapi v2 docs we can see this

Required if type is "array"

so in this example parameters are valid (talking about "inner" itemes"):

openapi: 3.0.3
paths:
  /v1/sourceTypes:
    delete:
      description: 'XXX'
      tags:
      - data_sources
      - v1
      produces:
      - application/json
      consumes:
      - application/json
      parameters:
      - name: ids
        in: query
        required: true
        type: array
        items:
          type: string
        description: ''
      responses:
        200:
          description: Successful Response
          schema:
            type: string
          headers: {}

Expected Behavior

No error

Actual Behavior

error 5e5ecb9d-04b5-4e4f-b5a5-6ee04279b275 is raised with descriprtion:

            "name": "OpenAPI Object should contain all of its required fields",
            "description": "items is missing required fields",

Specifications

  • Version: GitLab kics analyzer v4.1.13

UncleGoogle avatar Apr 22 '24 11:04 UncleGoogle

Hi @UncleGoogle ,

Thank you for your inputs! Our internal AppSec team will check it soon. We will keep you updated.

(APPSEC-2558)

gabriel-cx avatar May 14 '24 14:05 gabriel-cx

@UncleGoogle KICS is not scanning the code sample you provided, seems like it's an invalid one (we also checked it by using this tool). Kindly provide a valid openapi file so we can have a better look into it.

gabriel-cx avatar May 17 '24 10:05 gabriel-cx

Hi @gabriel-cx . Sure, I've extracted full example:

swagger: '2.0'
info:
  title: Example API
  version: '1.0'
schemes:
- https
produces:
- application/json
paths:
  /v1/dataSourceTypes:
    get:
      tags:
      - data_sources
      parameters:
      - name: limit
        in: query
        required: false
        default: 300
        type: integer
        format: int32
        description: ''
      - name: offset
        in: query
        required: false
        type: integer
        format: int32
        description: ''
      - name: order_field
        in: query
        required: false
        type: string
        description: ''
      - name: order_direction
        in: query
        required: false
        enum:
        - ASC
        - DESC
        type: string
        description: ''
      responses:
        200:
          description: Successful Response
          schema:
            type: string
          headers: {}
        408:
          description: Backend call time-out
          schema:
            type: string
          headers: {}
    delete:
      tags:
      - data_sources
      deprecated: false
      produces:
      - application/json
      consumes:
      - application/json
      parameters:
      - name: ids
        in: query
        required: true
        type: array
        items:
          type: string
        description: ''
      - name: recursive
        in: query
        required: false
        type: boolean
        description: ''
      responses:
        200:
          description: Successful Response
          schema:
            type: string
          headers: {}
        404:
          description: DataSource ID not found
          schema:
            type: string
          headers: {}
        408:
          description: Backend call time-out
          schema:
            type: string
          headers: {}

UncleGoogle avatar May 21 '24 15:05 UncleGoogle

Hi @UncleGoogle ,

Thank you!! We will analyze your inputs and we will keep you updated.

gabriel-cx avatar May 23 '24 10:05 gabriel-cx