Path Is Ambiguous (v3)

  • Query id: 237402e2-c2f0-46c9-9cf5-286160cf7bfc
  • Query name: Path Is Ambiguous (v3)
  • Platform: OpenAPI
  • Severity: Info
  • Category: Structure and Semantics
  • CWE: Ongoing
  • URL: Github

Description

All path should be unique, if has more than one operation, all operations should be part of same Path Object
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/users/{id}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          schema:
            type: integer
            minimum: 1
      responses:
        "200":
          description: 200 response
  "/users/{ids}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          schema:
            type: integer
            minimum: 1
      responses:
        "200":
          description: 200 response
Positive test num. 2 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/users/{id}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "schema": {
              "type": "integer",
              "minimum": 1
            }
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    },
    "/users/{ids}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "schema": {
              "type": "integer",
              "minimum": 1
            }
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  }
}
Positive test num. 3 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
  contact:
    name: contact
    url: https://www.google.com/
    email: user@gmail.com
paths:
  "/users/{id}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          type: string
      responses:
        "200":
          description: 200 response
  "/users/{ids}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          type: string
      responses:
        "200":
          description: 200 response

Positive test num. 4 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0",
    "contact": {
      "name": "contact",
      "url": "https://www.google.com/",
      "email": "user@gmail.com"
    }
  },
  "paths": {
    "/users/{id}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "type": "string"
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    },
    "/users/{ids}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "type": "string"
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/users/{id}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          schema:
            type: integer
            minimum: 1
      responses:
        "200":
          description: 200 response
  "/user/{id}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          schema:
            type: integer
            minimum: 1
      responses:
        "200":
          description: 200 response
Negative test num. 2 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/users/{id}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "schema": {
              "type": "integer",
              "minimum": 1
            }
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    },
    "/user/{id}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "schema": {
              "type": "integer",
              "minimum": 1
            }
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  }
}
Negative test num. 3 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
  contact:
    name: contact
    url: https://www.google.com/
    email: user@gmail.com
paths:
  "/users/{id}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          type: string
      responses:
        "200":
          description: 200 response
  "/user/{id}":
    get:
      parameters:
        - in: path
          name: id
          required: true
          description: The user ID
          type: string
      responses:
        "200":
          description: 200 response

Negative test num. 4 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0",
    "contact": {
      "name": "contact",
      "url": "https://www.google.com/",
      "email": "user@gmail.com"
    }
  },
  "paths": {
    "/users/{id}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "type": "string"
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    },
    "/user/{id}": {
      "get": {
        "parameters": [
          {
            "in": "path",
            "name": "id",
            "required": true,
            "description": "The user ID",
            "type": "string"
          }
        ],
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  }
}