Skip to content

Swagger rules

Description

Swagger rules are a set of rules that are used to validate the schema of a REST OpenAPI. They can be at the root of security issues due to their unstructured nature.

Remediation

Comply with the Swagger rules.

REST Specific

Asp_net Ensure that all user inputs are validated using strong type checking and regular expressions, and encode outputs to prevent XSS attacks. Implement proper exception handling to avoid revealing sensitive information in error messages. Regularly update the ASP.NET framework to patch known vulnerabilities.
Ruby_on_rails Ensure that you use strong parameters in Ruby on Rails to prevent mass assignment vulnerabilities. Always whitelist controller parameters to control which attributes should be allowed for mass updating.
Next_js Ensure server-side rendering processes user input securely to prevent XSS attacks, and validate all API requests to avoid injection vulnerabilities. Keep Next.js and its dependencies up to date to mitigate known vulnerabilities.
Laravel Ensure that all user inputs are properly sanitized and validated before processing. Utilize Laravel's built-in security features such as prepared statements, CSRF protection, and input validation rules to mitigate the risk of injection attacks and other vulnerabilities.
Express_js Ensure that all routes in the Express.js application are validated against a strict schema to prevent unstructured input, and implement middleware such as 'express-validator' for input validation to mitigate potential security vulnerabilities.
Django Ensure that Django's built-in protections against XSS, CSRF, and SQL injection are enabled and properly configured. Use Django's template system to automatically escape variables, and never mark safe any user-provided strings unless absolutely necessary. Regularly update the Django framework to incorporate security patches.
Symfony Ensure that all user inputs are properly sanitized and validated within your Symfony application. Use Symfony's built-in functions like 'filter_var' for input validation and 'htmlspecialchars' for output escaping to prevent XSS attacks. Additionally, leverage the 'ParamConverter' for automatic parameter conversion and validation, and consistently apply 'Security' annotations to enforce access controls on your controllers.
Spring_boot Ensure that your Spring Boot application is using the latest version of the Spring Framework, which includes security enhancements and bug fixes. Regularly update dependencies to mitigate known vulnerabilities. Additionally, implement proper input validation and output encoding to protect against injection attacks. Use Spring Security for comprehensive security configuration and enable CSRF protection. Always run your application as a user with the least necessary privileges.
Flask Ensure that all Flask routes and view functions properly validate and sanitize user input to prevent common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Utilize Flask extensions like Flask-WTF for form validation and Flask-Talisman for setting security-related HTTP headers.
Nuxt Ensure that all dynamic data is properly sanitized and validated on both the client and server sides to prevent XSS attacks. Use Nuxt.js's built-in escaping mechanisms to handle user-generated content safely, and regularly update dependencies to mitigate known vulnerabilities.
Fastapi Ensure that FastAPI endpoints validate and sanitize all input data rigorously to prevent injection attacks. Use Pydantic models to define strict schemas and leverage automatic request validation. Regularly update FastAPI and its dependencies to incorporate security patches.

Configuration

Identifier: schema/swagger_rules

Examples

Ignore this check

checks:
  schema/swagger_rules:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API9:2023

  • pci: 6.5.1

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: SA-11

Classification

  • CWE: 758

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N