Invalid Format (v3)

  • Query id: d929c031-078f-4241-b802-e224656ad890
  • Query name: Invalid Format (v3)
  • Platform: OpenAPI
  • Severity: Low
  • Category: Insecure Configurations
  • CWE: Ongoing
  • URL: Github

Description

The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "$ref": "#/components/schemas/MyObject"
          },
          "201": {
            "description": "201 response"
          }
        }
      },
      "parameters": [
        {
          "name": "id",
          "in": "path",
          "description": "ID of pet to use",
          "required": true,
          "schema": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "myObject": {
                  "$ref": "#/components/schemas/MyObject"
                },
                "length": {
                  "type": "integer",
                  "format": "float"
                }
              }
            }
          }
        }
      ]
    }
  },
  "components": {
    "schemas": {
      "MyObject": {
        "type": "object",
        "properties": {
          "id": {
            "type": "integer",
            "format": "double"
          },
          "quantity": {
            "type": "integer",
            "format": "int32"
          },
          "percentage": {
            "type": "number",
            "format": "int32"
          },
          "result": {
            "type": "number",
            "format": "double"
          }
        }
      }
    }
  }
}
Positive test num. 2 - yaml file
openapi: 3.0.0
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          "$ref": "#/components/schemas/MyObject"
        "201":
          description: 201 response
    parameters:
      - name: id
        in: path
        description: ID of pet to use
        required: true
        schema:
          type: array
          items:
            type: object
            properties:
              myObject:
                "$ref": "#/components/schemas/MyObject"
              length:
                type: integer
                format: float
components:
  schemas:
    MyObject:
      type: object
      properties:
        id:
          type: integer
          format: double
        quantity:
          type: integer
          format: int32
        percentage:
          type: number
          format: int32
        result:
          type: number
          format: double
Positive test num. 3 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response"
          },
          "201": {
            "description": "201 response"
          }
        }
      },
      "parameters": [
        {
          "name": "id",
          "in": "body",
          "description": "ID of pet to use",
          "required": true,
          "schema": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string",
                  "format": "double"
                },
                "quantity": {
                  "type": "integer",
                  "format": "int32"
                },
                "percentage": {
                  "type": "number",
                  "format": "int32"
                },
                "result": {
                  "type": "number",
                  "format": "double"
                }
              }
            }
          }
        },
        {
          "name": "start_date",
          "in": "query",
          "type": "string",
          "format": "int64",
          "description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n"
        }
      ]
    }
  }
}

Positive test num. 4 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 202 response
        "201":
          description: 201 response
    parameters:
      - name: id
        in: body
        description: ID of pet to use
        required: true
        schema:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: double
              quantity:
                type: integer
                format: int32
              percentage:
                type: number
                format: int32
              result:
                type: number
                format: double
      - name: start_date
        in: query
        type: string
        format: int64
        description: >
          The start date for the report. Must be used together with `end_date`.
          This parameter is incompatible with `rdate`.

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "summary": "List API versions",
        "responses": {
          "201": {
            "description": "201 response"
          },
          "200": {
            "$ref": "#/components/schemas/MyObject"
          }
        },
        "operationId": "listVersionsv2"
      },
      "parameters": [
        {
          "name": "id",
          "in": "path",
          "description": "ID of pet to use",
          "required": true,
          "schema": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "myObject": {
                  "$ref": "#/components/schemas/MyObject"
                },
                "length": {
                  "type": "integer",
                  "format": "int32"
                }
              }
            }
          }
        }
      ]
    }
  },
  "components": {
    "schemas": {
      "MyObject": {
        "type": "object",
        "properties": {
          "id": {
            "type": "integer",
            "format": "int64"
          },
          "quantity": {
            "type": "integer",
            "format": "int32"
          },
          "percentage": {
            "type": "number",
            "format": "float"
          },
          "result": {
            "type": "number",
            "format": "double"
          }
        }
      }
    }
  }
}
Negative test num. 2 - yaml file
openapi: 3.0.0
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          "$ref": "#/components/schemas/MyObject"
        "201":
          description: 201 response
    parameters:
      - name: id
        in: path
        description: ID of pet to use
        required: true
        schema:
          type: array
          items:
            type: object
            properties:
              myObject:
                "$ref": "#/components/schemas/MyObject"
              length:
                type: integer
                format: int32
components:
  schemas:
    MyObject:
      type: object
      properties:
        id:
          type: integer
          format: int64
        quantity:
          type: integer
          format: int32
        percentage:
          type: number
          format: float
        result:
          type: number
          format: double
Negative test num. 3 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response"
          },
          "201": {
            "description": "201 response"
          }
        }
      },
      "parameters": [
        {
          "name": "id",
          "in": "body",
          "description": "ID of pet to use",
          "required": true,
          "schema": {
            "type": "array",
            "items": {
              "type": "object",
              "properties": {
                "id": {
                  "type": "string",
                  "format": "byte"
                },
                "quantity": {
                  "type": "integer",
                  "format": "int32"
                },
                "percentage": {
                  "type": "number",
                  "format": "float"
                },
                "result": {
                  "type": "number",
                  "format": "double"
                }
              }
            }
          }
        },
        {
          "name": "start_date",
          "in": "query",
          "type": "string",
          "format": "date",
          "description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n"
        }
      ]
    }
  }
}

Negative test num. 4 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 202 response
        "201":
          description: 201 response
    parameters:
      - name: id
        in: body
        description: ID of pet to use
        required: true
        schema:
          type: array
          items:
            type: object
            properties:
              id:
                type: string
                format: byte
              quantity:
                type: integer
                format: int32
              percentage:
                type: number
                format: float
              result:
                type: number
                format: double
      - name: start_date
        in: query
        type: string
        format: date
        description: >
          The start date for the report. Must be used together with `end_date`.
          This parameter is incompatible with `rdate`.