Ensure security object for operations is not empty object or has any empty object definition
Ensure that the security object for operations in the OpenAPI document is not an empty object or has any empty object definition. An empty object or an empty object definition implies that there are no security requirements for the operation, which may not be true or intended. It may also cause errors or inconsistencies when validating or processing the OpenAPI document. The security object for operations specifies the security or authorization protocol used when submitting requests to a specific operation. The security object for operations is an array of one or more security requirement objects. Each security requirement object contains one or more key-value pairs, where the key is the name of a security scheme defined in the components/securitySchemes section, and the value is an array of scope names required for the execution (for OAuth 2 and OpenID Connect only).
Risk Level: high
Platform: OpenAPI
Spectral Rule ID: OPENAPI018
REMEDIATION
Remove any empty objects or empty object definitions from the security object for operations. Add at least one security requirement object in the security object for operations, and make sure that each security requirement object has a valid key-value pair that references a defined security scheme. For example:
# This is a sample OpenAPI document with an invalid security object for operations
openapi: 3.0.0
info:
title: Sample API
version: 1.0.0
servers:
- url: https://api.example.com/v1
# Remove any empty objects or empty object definitions from the security object for operations
paths:
/pets:
get:
summary: List all pets
- security: {} # This is an empty object definition
# OR
security:
- - {} # This is an empty object
- app_id: [] # This is a valid security requirement object
.
.
.
responses:
'200':
description: A list of pets
content:
application/json:
schema:
type: array
items:
$ref: '#/components/schemas/Pet'
components:
schemas:
Pet:
type: object
required:
- id
- name
properties:
id:
type: integer
format: int64
name:
type: string
tag:
type: string
Read more:
Updated over 1 year ago