Skip to content

Invalid parameters in path

Description

Your current schema doesn't follow the OpenAPI Specification for path parameters. Ensure that the parameters are correctly defined in the path.

In the OpenAPI 3.0 specification, parameters in the path should be defined using curly braces, like so: /user/{id}/books.

Remediation

Update your OpenAPI schema to correctly define the path parameters according to the OpenAPI Specification. Ensure that the parameters are correctly defined in the path and that they follow the required format.

REST Specific

Asp_net Ensure that all path parameters in your ASP.NET routes match the OpenAPI Specification by verifying the route templates in your controller actions. Use the [FromRoute] attribute to bind path parameters to action method parameters correctly.
Ruby_on_rails In Ruby on Rails, ensure that your route parameters are properly defined in the config/routes.rb file using the ':parameter' syntax. Validate the presence and types of path parameters in your controller actions, and use strong parameters to prevent unwanted parameters from being processed.
Next_js In Next.js, ensure that dynamic routes are correctly defined using file and folder naming conventions. For example, use `[param]` for dynamic parameters in the file name. Validate and sanitize path parameters in `getServerSideProps` or API routes to adhere to the OpenAPI Specification.
Laravel In Laravel, ensure that your route parameters match the expected pattern by using regular expression constraints in your route definitions. Also, validate path parameters using Laravel's built-in validation features or form request validation to adhere to the OpenAPI Specification.
Express_js In Express.js, define path parameters using the colon syntax in your route definitions. For example, use app.get('/users/:userId', handler) to capture the 'userId' parameter. Ensure all path parameters are declared in this manner and match the OpenAPI Specification.
Django In Django, ensure that your URL patterns use angle brackets to capture parameters from the path. For example, use 'path('items//', views.item_detail)' to define a path with an integer parameter 'item_id'. Update your views to accept and handle these parameters according to the OpenAPI Specification.
Symfony In Symfony, ensure that your route definitions include proper placeholders for parameters, and that the corresponding controller methods accept these parameters as arguments. Use the 'requirements' attribute to define parameter patterns according to the OpenAPI Specification.
Spring_boot In Spring Boot, ensure that path variables in your controller methods are properly annotated with @PathVariable and match the corresponding template placeholders in your @RequestMapping or @GetMapping annotations. Also, validate that the data types of the path variables are consistent with the expected parameter types in the OpenAPI definition.
Flask In Flask, ensure that path parameters are defined using angle brackets in your route. For example, use '@app.route('/resource/')' to define a path with a parameter. Match this with the corresponding parameter in your view function, and validate the input to adhere to the expected schema.
Nuxt Ensure that all dynamic segments in your Nuxt.js routes are properly defined according to the framework's conventions. Use the params object in your page components to access the path parameters.
Fastapi In FastAPI, ensure that path parameters match the function arguments and are of the correct type. Use Pydantic models for validation and declare path parameters using FastAPI's Path function for additional validation.

Configuration

Identifier: schema/invalid_parameters_in_path

Examples

Ignore this check

checks:
  schema/invalid_parameters_in_path:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API9:2023

  • pci: 1.1

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-2

Classification

  • CWE: 758

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

References