Security Test: Invalid condition in allOf¶

Description¶

Default Severity:

If you mix conditions in an allOf clause without fully checking how they interact, you might accidentally set up requirements that no input can ever meet. Instead of catching bad inputs, the configuration ends up rejecting every input, which can lead to unexpected failures in your system. This is dangerous because it might cause your application to mistakenly block legitimate requests or behave unpredictably, and attackers might exploit these flaws to trigger denial-of-service or bypass certain validations through misconfiguration. Developers often fall into this trap by assuming all constraints will simply add up logically, without considering that some combinations might actually contradict one another completely.

Reference:

https://swagger.io/docs/specification/data-models/oneof-anyof-allof-not/

Configuration¶

Identifier: schema/invalid_allof

Examples¶

All configuration available:

checks:
  schema/invalid_allof:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API9:2023
OWASP LLM Top 10	LLM02:2023
PCI DSS	`10.2.4`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-2`
CWE	`758`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N`