Ensure The Schema Object defined and not empty to avoid accepting any JSON values

Ensure that every Schema Object in the OpenAPI document is defined and not empty. An empty schema object {} accepts any JSON value, which may not be desirable if you want to restrict the possible values or validate them against some criteria. Defining the properties and types of the expected data helps both humans and computers to understand the format and structure of the input and output data.

Suggest Edits

Risk Level: medium
Platform: OpenAPI
Spectral Rule ID: OPENAPI016

REMEDIATION

Add or modify the Schema Object for each input or output data type. For example,

# in OpenAPI 3.0:
paths:
    /users/{id}:
      get:
        parameters:
          - name: id
            in: path
            required: true
            schema:
              type: string # define the schema of the path parameter here
        responses:
          '200':
            description: A user object.
            content:
              application/json:
                schema:
                  type: object # define the schema of the response body here
+                 properties:
+                   name:
+                     type: string
+                   age:
+                     type: integer
+                   email:
+                     type: string
+                     format: email
+                 additionalProperties: false
          '404':
            description: User not found.
            content:
              application/json:
                schema:
                  type: object # define the schema of the response body here
+                 properties:
+                   message:
+                     type: string # for example, the response body may contain an error message as a string property

# In OpenAPI 2.0, use `type` instead of `schema` for simple parameters, and use `definitions` to reference complex schemas. For example:

paths:
    /users/{id}:
      get:
        parameters:
          - name: id
            in: path
            required: true
            type: string # define the type of the path parameter here
        responses:
          '200':
            description: A user object.
            schema:
              $ref: '#/definitions/User' # reference the schema of the response body here
          '404':
            description: User not found.
            schema:
              $ref: '#/definitions/Error' # reference the schema of the response body here

definitions:
  User:
    type: object # define the schema of the user object here
+   properties:
+     name:
+       type: string
+     age:
+       type: integer
+     email:
+       type: string
+       format: email
+   additionalProperties: false

  Error:
    type: object # define the schema of the error object here
+   properties:
+     message:
+       type: string # for example, the error object may contain a message as a string property

Updated about 1 year ago

REMEDIATION

Read more: