Schema with 'additionalProperties' set as Boolean
- Query id: 3a01790c-ebee-4da6-8fd3-e78657383b75
- Query name: Schema with 'additionalProperties' set as Boolean
- Platform: OpenAPI
- Severity: Info
- Category: Best Practices
- CWE: 710
- URL: Github
Description¶
The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": false
}
}
}
}
}
}
}
Positive test num. 2 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
schema:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
additionalProperties: false
definitions:
User:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
Positive test num. 3 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": {
"$ref": "#/definitions/User"
}
}
}
}
}
}
},
"definitions": {
"User": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": false
}
}
}
Positive test num. 4 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
schema:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
additionalProperties:
$ref: "#/definitions/User"
definitions:
User:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
additionalProperties: false
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": {
"$ref": "#/definitions/User"
}
}
}
}
}
}
},
"definitions": {
"User": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
]
}
}
}
Negative test num. 2 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
schema:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
additionalProperties:
$ref: "#/definitions/User"
definitions:
User:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
Negative test num. 3 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"schema": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": {
"$ref": "#/definitions/User"
}
}
}
}
}
}
},
"definitions": {
"User": {
"type": "object",
"properties": {
"name": {
"type": "string"
},
"tag": {
"type": "string"
}
},
"required": [
"name"
],
"additionalProperties": {
"type": "string"
}
}
}
}
Negative test num. 4 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
schema:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
additionalProperties:
$ref: "#/definitions/User"
definitions:
User:
type: object
properties:
name:
type: string
tag:
type: string
required:
- name
additionalProperties:
type: string