Invalid Format (v3)
- Query id: d929c031-078f-4241-b802-e224656ad890
- Query name: Invalid Format (v3)
- Platform: OpenAPI
- Severity: Low
- Category: Insecure Configurations
- CWE: 665
- URL: Github
Description¶
The format should be valid for the type defined. For integer type must be int32 or int64 and number type must be float or double
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"openapi": "3.0.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"$ref": "#/components/schemas/MyObject"
},
"201": {
"description": "201 response"
}
}
},
"parameters": [
{
"name": "id",
"in": "path",
"description": "ID of pet to use",
"required": true,
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"myObject": {
"$ref": "#/components/schemas/MyObject"
},
"length": {
"type": "integer",
"format": "float"
}
}
}
}
}
]
}
},
"components": {
"schemas": {
"MyObject": {
"type": "object",
"properties": {
"id": {
"type": "integer",
"format": "double"
},
"quantity": {
"type": "integer",
"format": "int32"
},
"percentage": {
"type": "number",
"format": "int32"
},
"result": {
"type": "number",
"format": "double"
}
}
}
}
}
}
Positive test num. 2 - yaml file
openapi: 3.0.0
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
"$ref": "#/components/schemas/MyObject"
"201":
description: 201 response
parameters:
- name: id
in: path
description: ID of pet to use
required: true
schema:
type: array
items:
type: object
properties:
myObject:
"$ref": "#/components/schemas/MyObject"
length:
type: integer
format: float
components:
schemas:
MyObject:
type: object
properties:
id:
type: integer
format: double
quantity:
type: integer
format: int32
percentage:
type: number
format: int32
result:
type: number
format: double
Positive test num. 3 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response"
},
"201": {
"description": "201 response"
}
}
},
"parameters": [
{
"name": "id",
"in": "body",
"description": "ID of pet to use",
"required": true,
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "double"
},
"quantity": {
"type": "integer",
"format": "int32"
},
"percentage": {
"type": "number",
"format": "int32"
},
"result": {
"type": "number",
"format": "double"
}
}
}
}
},
{
"name": "start_date",
"in": "query",
"type": "string",
"format": "int64",
"description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n"
}
]
}
}
}
Positive test num. 4 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 202 response
"201":
description: 201 response
parameters:
- name: id
in: body
description: ID of pet to use
required: true
schema:
type: array
items:
type: object
properties:
id:
type: string
format: double
quantity:
type: integer
format: int32
percentage:
type: number
format: int32
result:
type: number
format: double
- name: start_date
in: query
type: string
format: int64
description: >
The start date for the report. Must be used together with `end_date`.
This parameter is incompatible with `rdate`.
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"openapi": "3.0.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"summary": "List API versions",
"responses": {
"201": {
"description": "201 response"
},
"200": {
"$ref": "#/components/schemas/MyObject"
}
},
"operationId": "listVersionsv2"
},
"parameters": [
{
"name": "id",
"in": "path",
"description": "ID of pet to use",
"required": true,
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"myObject": {
"$ref": "#/components/schemas/MyObject"
},
"length": {
"type": "integer",
"format": "int32"
}
}
}
}
}
]
}
},
"components": {
"schemas": {
"MyObject": {
"type": "object",
"properties": {
"id": {
"type": "integer",
"format": "int64"
},
"quantity": {
"type": "integer",
"format": "int32"
},
"percentage": {
"type": "number",
"format": "float"
},
"result": {
"type": "number",
"format": "double"
}
}
}
}
}
}
Negative test num. 2 - yaml file
openapi: 3.0.0
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
"$ref": "#/components/schemas/MyObject"
"201":
description: 201 response
parameters:
- name: id
in: path
description: ID of pet to use
required: true
schema:
type: array
items:
type: object
properties:
myObject:
"$ref": "#/components/schemas/MyObject"
length:
type: integer
format: int32
components:
schemas:
MyObject:
type: object
properties:
id:
type: integer
format: int64
quantity:
type: integer
format: int32
percentage:
type: number
format: float
result:
type: number
format: double
Negative test num. 3 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response"
},
"201": {
"description": "201 response"
}
}
},
"parameters": [
{
"name": "id",
"in": "body",
"description": "ID of pet to use",
"required": true,
"schema": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": {
"type": "string",
"format": "byte"
},
"quantity": {
"type": "integer",
"format": "int32"
},
"percentage": {
"type": "number",
"format": "float"
},
"result": {
"type": "number",
"format": "double"
}
}
}
}
},
{
"name": "start_date",
"in": "query",
"type": "string",
"format": "date",
"description": "The start date for the report. Must be used together with `end_date`. This parameter is incompatible with `rdate`.\n"
}
]
}
}
}
Negative test num. 4 - yaml file
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 202 response
"201":
description: 201 response
parameters:
- name: id
in: body
description: ID of pet to use
required: true
schema:
type: array
items:
type: object
properties:
id:
type: string
format: byte
quantity:
type: integer
format: int32
percentage:
type: number
format: float
result:
type: number
format: double
- name: start_date
in: query
type: string
format: date
description: >
The start date for the report. Must be used together with `end_date`.
This parameter is incompatible with `rdate`.