Schema: Invalid condition in allOf¶

Identifier: invalid_allof

Scanner(s) Support¶

GraphQL Scanner	REST Scanner	WebApp Scanner

Description¶

If you mix conditions in an allOf clause without fully checking how they interact, you might accidentally set up requirements that no input can ever meet. Instead of catching bad inputs, the configuration ends up rejecting every input, which can lead to unexpected failures in your system. This is dangerous because it might cause your application to mistakenly block legitimate requests or behave unpredictably, and attackers might exploit these flaws to trigger denial-of-service or bypass certain validations through misconfiguration. Developers often fall into this trap by assuming all constraints will simply add up logically, without considering that some combinations might actually contradict one another completely.

References:

https://swagger.io/docs/specification/data-models/oneof-anyof-allof-not/

Configuration¶

Example¶

Example configuration:

---
security_tests:
  invalid_allof:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference¶

`assets_allowed`¶

Type : List[AssetType]*

List of assets that this check will cover.

`skip`¶

Type : boolean

Skip the test if true.