Operation Object Without 'produces'
- Query id: be3e170e-1572-461e-a8b6-d963def581ec
- Query name: Operation Object Without 'produces'
- Platform: OpenAPI
- Severity: Medium
- Category: Insecure Configurations
- CWE: 665
- URL: Github
Description¶
Operation Object should have 'produces' field defined for 'GET'operation
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"$ref": "#/definitions/User"
}
},
"parameters": [
{
"$ref": "#/parameters/limitParam"
}
]
}
}
},
"parameters": {
"limitParam": {
"name": "limit",
"in": "query",
"description": "max records to return",
"required": true,
"schema": {
"type": "integer"
}
}
},
"definitions": {
"User": {
"type": "object",
"required": [
"id",
"name"
],
"properties": {
"id": {
"type": "integer",
"format": "int64"
},
"name": {
"type": "string"
}
}
}
}
}
Positive test num. 2 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
"$ref": "#/definitions/User"
parameters:
- "$ref": "#/parameters/limitParam"
parameters:
limitParam:
name: limit
in: query
description: max records to return
required: true
schema:
type: integer
definitions:
User:
type: object
required:
- id
- name
properties:
id:
type: integer
format: int64
name:
type: string
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"produces": [
"application/json"
],
"responses": {
"200": {
"$ref": "#/definitions/User"
}
},
"parameters": [
{
"$ref": "#/parameters/limitParam"
}
]
}
}
},
"parameters": {
"limitParam": {
"name": "limit",
"in": "query",
"description": "max records to return",
"required": true,
"schema": {
"type": "integer"
}
}
},
"definitions": {
"User": {
"type": "object",
"required": [
"id",
"name"
],
"properties": {
"id": {
"type": "integer",
"format": "int64"
},
"name": {
"type": "string"
}
}
}
}
}
Negative test num. 2 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
produces:
- application/json
responses:
"200":
"$ref": "#/definitions/User"
parameters:
- "$ref": "#/parameters/limitParam"
parameters:
limitParam:
name: limit
in: query
description: max records to return
required: true
schema:
type: integer
definitions:
User:
type: object
required:
- id
- name
properties:
id:
type: integer
format: int64
name:
type: string