Skip to content

bug(openapi): false positive for query "Header Object Without Schema" on referenced header objects #7301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
cureaid opened this issue Dec 5, 2024 · 1 comment
Open

bug(openapi): false positive for query "Header Object Without Schema" on referenced header objects #7301

cureaid opened this issue Dec 5, 2024 · 1 comment
Labels
bug Something isn't working community Community contribution docker Docker query openapi OpenAPI query query New query feature

Comments

@cureaid
Copy link

cureaid commented Dec 5, 2024

Expected Behavior

The "Header Object Without Schema" query should not generate a vulnerability if the header object has a schema and is referenced.

Actual Behavior

The "Header Object Without Schema" (50de3b5b-6465-4e06-a9b0-b4c2ba34326b) query generates a medium-level vulnerability.

Steps to Reproduce the Problem

Following openapi.yaml makes KICS find a "Header Object Without Schema" (50de3b5b-6465-4e06-a9b0-b4c2ba34326b) vulnerability:

openapi: "3.0.3"

info:
  title: Reproduce "Header Object Without Schema"
  version: 1.0.0

servers:
  - url: https://example.com/

security:
  - bearerAuth: []

paths:
  /test:
    get:
      responses:
        '200':
          description: Test
          headers:
            X-Test: { $ref: "#/components/headers/X-Test" }
          content:
            application/json:
              schema:
                type: string
                pattern: '^test$'

components:
  headers:
    X-Test:
      schema:
        type: string
        pattern: '^test$'

  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

Following openapi.yaml makes KICS not find a "Header Object Without Schema" (50de3b5b-6465-4e06-a9b0-b4c2ba34326b) vulnerability:

openapi: "3.0.3"

info:
  title: Reproduce "Header Object Without Schema"
  version: 1.0.0

servers:
  - url: https://example.com/

security:
  - bearerAuth: []

paths:
  /test:
    get:
      responses:
        '200':
          description: Test
          headers:
            X-Test:
              schema:
                type: string
                pattern: '^test$'
          content:
            application/json:
              schema:
                type: string
                pattern: '^test$'

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer

Specifications

  • Version: checkmarx/kics:v2.1.3@sha256:8b191adbd156038cfbc163fd1ab1b210c839bd9e065777287eadc8d267a60b9d
  • Platform: Docker
  • Subsystem: openapi
@cureaid cureaid added bug Something isn't working community Community contribution labels Dec 5, 2024
@github-actions github-actions bot added query New query feature docker Docker query openapi OpenAPI query labels Dec 5, 2024
@cureaid
Copy link
Author

cureaid commented Dec 6, 2024

Similar behavior appears with rule a92be1d5-d762-484a-86d6-8cd0907ba100 (Response on operations that should have a body has undefined schema (v3)). The content schema of the referenced response object is defined but KICS still shows an error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working community Community contribution docker Docker query openapi OpenAPI query query New query feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cureaid