Skip to content

Swagger rules

Description

Swagger rules are a set of rules that are used to validate the schema of a REST OpenAPI. They can be at the root of security issues due to their unstructured nature.

Remediation

Comply with the Swagger rules.

REST Specific

Asp_net Ensure that all user inputs are validated using strong type checking and regular expressions, and encode outputs to prevent XSS attacks. Implement proper exception handling to avoid revealing sensitive information in error messages. Regularly update the ASP.NET framework to patch known vulnerabilities.
Ruby_on_rails Ensure that you use strong parameters in Ruby on Rails to prevent mass assignment vulnerabilities. Always whitelist controller parameters to control which attributes should be allowed for mass updating.
Next_js Ensure server-side rendering processes user input securely to prevent XSS attacks, and validate all API requests to avoid injection vulnerabilities. Keep Next.js and its dependencies up to date to mitigate known vulnerabilities.
Laravel Ensure that all user inputs are properly sanitized and validated before processing. Utilize Laravel's built-in security features such as prepared statements, CSRF protection, and input validation rules to mitigate the risk of injection attacks and other vulnerabilities.
Express_js Ensure that all routes in the Express.js application are validated against a strict schema to prevent unstructured input, and implement middleware such as 'express-validator' for input validation to mitigate potential security vulnerabilities.
Django Ensure that Django's built-in protections against XSS, CSRF, and SQL injection are enabled and properly configured. Use Django's template system to automatically escape variables, and never mark safe any user-provided strings unless absolutely necessary. Regularly update the Django framework to incorporate security patches.
Symfony Ensure that all user inputs are properly sanitized and validated within your Symfony application. Use Symfony's built-in functions like 'filter_var' for input validation and 'htmlspecialchars' for output escaping to prevent XSS attacks. Additionally, leverage the 'ParamConverter' for automatic parameter conversion and validation, and consistently apply 'Security' annotations to enforce access controls on your controllers.
Spring_boot Ensure that your Spring Boot application is using the latest version of the Spring Framework, which includes security enhancements and bug fixes. Regularly update dependencies to mitigate known vulnerabilities. Additionally, implement proper input validation and output encoding to protect against injection attacks. Use Spring Security for comprehensive security configuration and enable CSRF protection. Always run your application as a user with the least necessary privileges.
Flask Ensure that all Flask routes and view functions properly validate and sanitize user input to prevent common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Utilize Flask extensions like Flask-WTF for form validation and Flask-Talisman for setting security-related HTTP headers.
Nuxt Ensure that all dynamic data is properly sanitized and validated on both the client and server sides to prevent XSS attacks. Use Nuxt.js's built-in escaping mechanisms to handle user-generated content safely, and regularly update dependencies to mitigate known vulnerabilities.
Fastapi Ensure that FastAPI endpoints validate and sanitize all input data rigorously to prevent injection attacks. Use Pydantic models to define strict schemas and leverage automatic request validation. Regularly update FastAPI and its dependencies to incorporate security patches.
Frappe Implement input validation and sanitization to prevent injection attacks in the Frappe framework.
Genzio Ensure proper input validation and sanitization in the Genzio framework engine to prevent security vulnerabilities.
Gin Implement input validation and sanitization to prevent injection attacks in the Gin framework.
Gorilla Ensure proper input validation and sanitization in Gorilla framework to prevent security vulnerabilities.
Hapi Ensure input validation and sanitization in Hapi routes to prevent injection attacks.
Hono Ensure proper input validation and sanitization in the Hono framework to prevent security vulnerabilities.
Jersey Ensure proper input validation and output encoding to prevent injection attacks in the Jersey framework.
Koa Implement input validation and sanitization to prevent injection attacks in Koa applications.
Ktor Ensure proper exception handling in Ktor by using the 'StatusPages' feature to manage and respond to errors gracefully.
Leptos Ensure proper state management and component isolation in Leptos framework to prevent unintended data leaks and enhance application security.
Macaron Ensure proper session management and CSRF protection in the Macaron framework
Phoenix Ensure proper input validation and sanitization in Phoenix controllers to prevent security vulnerabilities.
Redwoodjs Implement role-based access control (RBAC) to manage user permissions in RedwoodJS applications.
Rocket Ensure proper input validation and sanitization in Rocket framework to prevent injection attacks.
Sveltekit Implement input validation and sanitization to prevent XSS vulnerabilities in SvelteKit applications.

Configuration

Identifier: schema/swagger_rules

Examples

Ignore this check

checks:
  schema/swagger_rules:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API9:2023
  • OWASP LLM: LLM06:2023
  • pci: 6.5.1
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: SA-11

Classification

  • CWE: 758

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N