Schema with 'additionalProperties' set as Boolean

  • Query id: 3a01790c-ebee-4da6-8fd3-e78657383b75
  • Query name: Schema with 'additionalProperties' set as Boolean
  • Platform: OpenAPI
  • Severity: Info
  • Category: Best Practices
  • CWE: 710
  • URL: Github

Description

The value of 'additionalProperties' should be set as object instead of boolean, since swagger 2.0 does not support boolean value for it
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "schema": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string"
                },
                "tag": {
                  "type": "string"
                }
              },
              "required": [
                "name"
              ],
              "additionalProperties": false
            }
          }
        }
      }
    }
  }
}
Positive test num. 2 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response
          schema:
            type: object
            properties:
              name:
                type: string
              tag:
                type: string
            required:
              - name
            additionalProperties: false
definitions:
  User:
    type: object
    properties:
      name:
        type: string
      tag:
        type: string
    required:
      - name
Positive test num. 3 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "schema": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string"
                },
                "tag": {
                  "type": "string"
                }
              },
              "required": [
                "name"
              ],
              "additionalProperties": {
                "$ref": "#/definitions/User"
              }
            }
          }
        }
      }
    }
  },
  "definitions": {
    "User": {
      "type": "object",
      "properties": {
        "name": {
          "type": "string"
        },
        "tag": {
          "type": "string"
        }
      },
      "required": [
        "name"
      ],
      "additionalProperties": false
    }
  }
}

Positive test num. 4 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response
          schema:
            type: object
            properties:
              name:
                type: string
              tag:
                type: string
            required:
              - name
            additionalProperties:
              $ref: "#/definitions/User"
definitions:
  User:
    type: object
    properties:
      name:
        type: string
      tag:
        type: string
    required:
      - name
    additionalProperties: false

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "schema": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string"
                },
                "tag": {
                  "type": "string"
                }
              },
              "required": [
                "name"
              ],
              "additionalProperties": {
                "$ref": "#/definitions/User"
              }
            }
          }
        }
      }
    }
  },
  "definitions": {
    "User": {
      "type": "object",
      "properties": {
        "name": {
          "type": "string"
        },
        "tag": {
          "type": "string"
        }
      },
      "required": [
        "name"
      ]
    }
  }
}
Negative test num. 2 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response
          schema:
            type: object
            properties:
              name:
                type: string
              tag:
                type: string
            required:
              - name
            additionalProperties:
              $ref: "#/definitions/User"
definitions:
  User:
    type: object
    properties:
      name:
        type: string
      tag:
        type: string
    required:
      - name
Negative test num. 3 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "schema": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string"
                },
                "tag": {
                  "type": "string"
                }
              },
              "required": [
                "name"
              ],
              "additionalProperties": {
                "$ref": "#/definitions/User"
              }
            }
          }
        }
      }
    }
  },
  "definitions": {
    "User": {
      "type": "object",
      "properties": {
        "name": {
          "type": "string"
        },
        "tag": {
          "type": "string"
        }
      },
      "required": [
        "name"
      ],
      "additionalProperties": {
        "type": "string"
      }
    }
  }
}

Negative test num. 4 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response
          schema:
            type: object
            properties:
              name:
                type: string
              tag:
                type: string
            required:
              - name
            additionalProperties:
              $ref: "#/definitions/User"
definitions:
  User:
    type: object
    properties:
      name:
        type: string
      tag:
        type: string
    required:
      - name
    additionalProperties:
      type: string