Example JSON Reference Outside Components Examples

  • Query id: bac56e3c-1f71-4a74-8ae6-2fba07efcddb
  • Query name: Example JSON Reference Outside Components Examples
  • Platform: OpenAPI
  • Severity: Info
  • Category: Structure and Semantics
  • CWE: 20
  • URL: Github

Description

Reference to examples should point to #/components/examples
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "components": {
    "securitySchemes": {
      "regularSecurity": {
        "type": "http",
        "scheme": "basic"
      }
    },
    "schemas": {
      "ErrorModel": {
        "type": "object",
        "properties": {
          "code": {
            "type": "string"
          }
        }
      },
      "Address": {
        "type": "object",
        "properties": {
          "street": {
            "type": "string"
          }
        },
        "required": [
          "street"
        ]
      }
    }
  },
  "paths": {
    "/": {
      "post": {
        "operationId": "updateAddress",
        "summary": "updateAddress",
        "servers": [
          {
            "url": "http://kicsapi.com/",
            "description": "server URL"
          }
        ],
        "responses": {
          "200": {
            "description": "a pet to be returned",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/Address"
                }
              }
            }
          },
          "default": {
            "description": "Unexpected error",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ErrorModel"
                }
              }
            }
          }
        },
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/Address"
              },
              "examples": {
                "Address": {
                  "$ref": "#/components/schemas/Address"
                }
              }
            }
          }
        }
      }
    }
  }
}
Positive test num. 2 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
components:
  securitySchemes:
    regularSecurity:
      type: http
      scheme: basic
  schemas:
    ErrorModel:
      type: object
      properties:
        code:
          type: string
    Address:
      type: object
      properties:
        street:
          type: string
      required:
        - street
paths:
  "/":
    post:
      operationId: updateAddress
      summary: updateAddress
      servers:
        - url: http://kicsapi.com/
          description: server URL
      responses:
        '200':
          description: a pet to be returned
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Address'
        default:
          description: Unexpected error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorModel'
      requestBody:
        content:
          'application/json':
            schema:
              $ref: '#/components/schemas/Address'
            examples:
              Address:
                $ref: '#/components/schemas/Address'

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "components": {
    "securitySchemes": {
      "regularSecurity": {
        "type": "http",
        "scheme": "basic"
      }
    },
    "schemas": {
      "ErrorModel": {
        "type": "object",
        "properties": {
          "code": {
            "type": "string"
          }
        }
      },
      "Address": {
        "type": "object",
        "properties": {
          "street": {
            "type": "string"
          }
        },
        "required": [
          "street"
        ]
      }
    },
    "examples": {
      "Address": {
        "summary": "user address",
        "value": {
          "street": "my street"
        }
      }
    }
  },
  "paths": {
    "/": {
      "post": {
        "operationId": "updateAddress",
        "summary": "updateAddress",
        "servers": [
          {
            "url": "http://kicsapi.com/",
            "description": "server URL"
          }
        ],
        "responses": {
          "200": {
            "description": "a pet to be returned",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/Address"
                }
              }
            }
          },
          "default": {
            "description": "Unexpected error",
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/ErrorModel"
                }
              }
            }
          }
        },
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/Address"
              },
              "examples": {
                "Address": {
                  "$ref": "#/components/examples/Address"
                }
              }
            }
          }
        }
      }
    }
  }
}
Negative test num. 2 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
components:
  securitySchemes:
    regularSecurity:
      type: http
      scheme: basic
  schemas:
    ErrorModel:
      type: object
      properties:
        code:
          type: string
    Address:
      type: object
      properties:
        street:
          type: string
      required:
        - street
  examples:
    Address:
      summary: user address
      value: { "street": "my street" }
paths:
  "/":
    post:
      operationId: updateAddress
      summary: updateAddress
      servers:
        - url: http://kicsapi.com/
          description: server URL
      responses:
        '200':
          description: a pet to be returned
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Address'
        default:
          description: Unexpected error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorModel'
      requestBody:
        content:
          'application/json':
            schema:
              $ref: '#/components/schemas/Address'
            examples:
              Address:
                $ref: '#/components/examples/Address'