Ensure The Schema Object defined and not empty to avoid accepting any JSON values
Ensure that every Schema Object in the OpenAPI document is defined and not empty. An empty schema object {} accepts any JSON value, which may not be desirable if you want to restrict the possible values or validate them against some criteria. Defining the properties and types of the expected data helps both humans and computers to understand the format and structure of the input and output data.
Risk Level: medium
Platform: OpenAPI
Spectral Rule ID: OPENAPI016
REMEDIATION
Add or modify the Schema Object for each input or output data type. For example,
# in OpenAPI 3.0:
paths:
/users/{id}:
get:
parameters:
- name: id
in: path
required: true
schema:
type: string # define the schema of the path parameter here
responses:
'200':
description: A user object.
content:
application/json:
schema:
type: object # define the schema of the response body here
+ properties:
+ name:
+ type: string
+ age:
+ type: integer
+ email:
+ type: string
+ format: email
+ additionalProperties: false
'404':
description: User not found.
content:
application/json:
schema:
type: object # define the schema of the response body here
+ properties:
+ message:
+ type: string # for example, the response body may contain an error message as a string property
# In OpenAPI 2.0, use `type` instead of `schema` for simple parameters, and use `definitions` to reference complex schemas. For example:
paths:
/users/{id}:
get:
parameters:
- name: id
in: path
required: true
type: string # define the type of the path parameter here
responses:
'200':
description: A user object.
schema:
$ref: '#/definitions/User' # reference the schema of the response body here
'404':
description: User not found.
schema:
$ref: '#/definitions/Error' # reference the schema of the response body here
definitions:
User:
type: object # define the schema of the user object here
+ properties:
+ name:
+ type: string
+ age:
+ type: integer
+ email:
+ type: string
+ format: email
+ additionalProperties: false
Error:
type: object # define the schema of the error object here
+ properties:
+ message:
+ type: string # for example, the error object may contain a message as a string property
Read more:
Updated over 1 year ago