Skip to content

Commit

Permalink
Merge pull request #7327 from Checkmarx/eduardose/maximum_length_unde…
Browse files Browse the repository at this point in the history 
…fined

fix(query): openapi maximum_length_undefined query enum and format sanitizers
  • Loading branch information
@EduardoSemanas
EduardoSemanas authored Feb 3, 2025
2 parents 4297cc0 + c6766a1 commit 2e3a47b
Show file tree
Hide file tree
Showing 5 changed files with 245 additions and 0 deletions.
14 changes: 14 additions & 0 deletions assets/queries/openAPI/general/maximum_length_undefined/query.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ CxPolicy[result] {
info := openapi_lib.is_operation(path)
openapi_lib.content_allowed(info.operation, info.code)
openapi_lib.undefined_field_in_string_type(value, "maxLength")
checkForSecureStringFormats(value)
not limited_regex(value)

result := {
Expand All @@ -33,6 +34,7 @@ CxPolicy[result] {
[path, value] := walk(doc)
openapi_lib.is_operation(path) == {}
openapi_lib.undefined_field_in_string_type(value, "maxLength")
checkForSecureStringFormats(value)
not limited_regex(value)

result := {
Expand All @@ -51,3 +53,15 @@ limited_regex(value){
not contains(value.pattern, "*")
not regex.match("[^\\\\]{\\d+,}", value.pattern)
}

checkForSecureStringFormats(value) {
openapi_lib.undefined_field_in_string_type(value, "enum") # enums have the maxLength implicit
checkStringFormat(value)
}

checkStringFormat(value) {
openapi_lib.undefined_field_in_string_type(value, "format")
} else {
value["format"] != "date" # date and date-time formats
value["format"] != "date-time" # have the maxLength implicit
}
55 changes: 55 additions & 0 deletions assets/queries/openAPI/general/maximum_length_undefined/test/negative10.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
openapi: 3.0.0
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
content:
application/json:
examples:
foo:
value:
versions:
- status: CURRENT
updated: "2011-01-21T11:33:21Z"
id: v2.0
links:
- href: http://127.0.0.1:8774/v2/
rel: self
components:
schemas:
GeneralError:
type: object
discriminator:
propertyName: petType
additionalProperties: false
properties:
code:
type: string
enum:
- brown
- grey
- black
- white
message:
type: string
format: date
extra:
type: string
format: date-time
required:
- petType
requestBodies:
NewItem:
description: A JSON object containing item data
required: true
content:
multipart/form-data:
schema:
$ref: "#/components/schemas/GeneralError"
50 changes: 50 additions & 0 deletions assets/queries/openAPI/general/maximum_length_undefined/test/negative11.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0",
"contact": {
"name": "contact",
"url": "https://www.google.com/",
"email": "[email protected]"
}
},
"paths": {
"/": {
"get": {
"responses": {
"200": {
"description": "200 response",
"schema": {
"discriminator": "petType",
"additionalProperties": false,
"properties": {
"code": {
"type": "string",
"enum": [
"brown",
"grey",
"black",
"white"
]
},
"message": {
"type": "string",
"format": "date"
},
"extra": {
"type": "string",
"format": "date-time"
}
},
"required": [
"petType"
],
"type": "object"
}
}
}
}
}
}
}
32 changes: 32 additions & 0 deletions assets/queries/openAPI/general/maximum_length_undefined/test/negative12.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
swagger: "2.0"
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
schema:
type: object
discriminator: petType
additionalProperties: false
properties:
code:
type: string
enum:
- brown
- grey
- black
- white
message:
type: string
format: date
extra:
type: string
format: date-time
required:
- petType
94 changes: 94 additions & 0 deletions assets/queries/openAPI/general/maximum_length_undefined/test/negative9.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"openapi": "3.0.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0",
"contact": {
"name": "contact",
"url": "https://www.google.com/",
"email": "[email protected]"
}
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"content": {
"application/json": {
"examples": {
"foo": {
"value": {
"versions": [
{
"status": "CURRENT",
"updated": "2011-01-21T11:33:21Z",
"id": "v2.0",
"links": [
{
"href": "http://127.0.0.1:8774/v2/",
"rel": "self"
}
]
}
]
}
}
}
}
}
}
}
}
}
},
"components": {
"schemas": {
"GeneralError": {
"type": "object",
"discriminator": {
"propertyName": "petType"
},
"additionalProperties": false,
"properties": {
"code": {
"type": "string",
"enum": [
"brown",
"grey",
"black",
"white"
]
},
"message": {
"type": "string",
"format": "date"
},
"extra": {
"type": "string",
"format": "date-time"
}
},
"required": [
"petType"
]
}
},
"requestBodies": {
"NewItem": {
"description": "A JSON object containing item data",
"required": true,
"content": {
"multipart/form-data": {
"schema": {
"$ref": "#/components/schemas/GeneralError"
}
}
}
}
}
}
}

0 comments on commit 2e3a47b

Please sign in to comment.