Discussion on owasp:api3:2023 (Broken Object Property Level Authorization) rules #549
Description
Should the following linting rules be used for CAMARA APIs:
Descriptions from https://apistylebook.stoplight.io/docs/owasp-top-10-2023
Note: Only warning severity
Warnings
owasp:api3:2023-constrained-additionalProperties
By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with additionalProperties: false or add maxProperties
owasp:api3:2023-constrained-unevaluatedProperties
By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with unevaluatedProperties: false or add maxProperties
owasp:api3:2023-no-additionalProperties
By default JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with additionalProperties: false or add maxProperties.
owasp:api3:2023-no-unevaluatedProperties
By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with unevaluatedProperties: false or add maxProperties.
Discussion
owasp:api3:2023-no-additionalProperties owasp:api3:2023-constrained-additionalProperties
HTTPSettings in subscription template - enable rules and change template?
NOTE: Use/Applicability of this concept has not been discussed in Commonalities under the scope of Meta Release v0.4. When required by an API project as an option to meet a UC/Requirement, please generate an issue for Commonalities discussion about it.
owasp:api3:2023-no-unevaluatedProperties owasp:api3:2023-constrained-unevaluatedProperties
for OAS 3.1 (no impact now) - enable rules?