Change oneOf to anyOf schema in owasp:api4:2019-string-restricted and owasp:api4:2019-string-limit (stoplightio#43)

* Change `oneOf` to `anyOf` schema in owasp:api4:2019-string-restricted

The use of `oneOf` means that _only_ one of the schema constraints may be true,
but it is valid if two or more of the string schema constraint keywords
are present: `format`, `pattern`, `enum`, `const`.

* Change `oneOf` to `anyOf` schema in owasp:api4:2019-string-limit

Similar as with `2019-string-restricted`: the schema check should be
`anyOf` instead of `oneOf` in case a schema has more than one of the
keywords.

Author: DavidBiesack

__tests__/owasp-api4-2019-string-limit.test.ts

@@ -51,7 +51,6 @@ testRule("owasp:api4:2019-string-limit", [
     errors: [],
   },
 
-
   {
     name: "valid case: oas3.0",
     document: {
@@ -61,7 +60,24 @@ testRule("owasp:api4:2019-string-limit", [
         schemas: {
           Foo: {
             type: "string",
-            enum: [ "a", "b", "c" ]
+            enum: ["a", "b", "c"],
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
+  {
+    name: "valid case: oas3.1",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      components: {
+        schemas: {
+          Foo: {
+            type: "string",
+            const: "constant",
           },
         },
       },
@@ -78,7 +94,26 @@ testRule("owasp:api4:2019-string-limit", [
         schemas: {
           Foo: {
             type: "string",
-            const: "constant"
+            const: "constant",
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
+  {
+    name: "valid case: pattern and maxLength, oas3.1",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      components: {
+        schemas: {
+          Foo: {
+            type: "string",
+            format: "hex",
+            pattern: "^[0-9a-fA-F]+$",
+            maxLength: 16
           },
         },
       },
@@ -99,7 +134,8 @@ testRule("owasp:api4:2019-string-limit", [
     },
     errors: [
       {
-        message: "Schema of type string must specify maxLength, enum, or const.",
+        message:
+          "Schema of type string must specify maxLength, enum, or const.",
         path: ["definitions", "Foo"],
         severity: DiagnosticSeverity.Error,
       },
@@ -121,7 +157,8 @@ testRule("owasp:api4:2019-string-limit", [
     },
     errors: [
       {
-        message: "Schema of type string must specify maxLength, enum, or const.",
+        message:
+          "Schema of type string must specify maxLength, enum, or const.",
         path: ["components", "schemas", "Foo"],
         severity: DiagnosticSeverity.Error,
       },
@@ -142,7 +179,8 @@ testRule("owasp:api4:2019-string-limit", [
     },
     errors: [
       {
-        message: "Schema of type string must specify maxLength, enum, or const.",
+        message:
+          "Schema of type string must specify maxLength, enum, or const.",
         path: ["components", "schemas", "Foo"],
         severity: DiagnosticSeverity.Error,
       },

__tests__/owasp-api4-2019-string-restricted.test.ts

@@ -50,7 +50,7 @@ testRule("owasp:api4:2019-string-restricted", [
   },
 
   {
-    name: "valid case: format (oas3)",
+    name: "valid case: pattern (oas3)",
     document: {
       openapi: "3.0.0",
       info: { version: "1.0" },
@@ -117,6 +117,25 @@ testRule("owasp:api4:2019-string-restricted", [
     errors: [],
   },
 
+  {
+    name: "valid case: format + pattern (oas3.1)",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      components: {
+        schemas: {
+          foo: {
+            type: "string",
+            format: "hex",
+            pattern: "^[0-9a-fA-F]+$",
+            maxLength: 16
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
   {
     name: "valid case: const (oas3.1)",
     document: {

src/ruleset.ts

@@ -529,7 +529,7 @@ export default {
         functionOptions: {
           schema: {
             type: "object",
-            oneOf: [
+            anyOf: [
               {
                 required: ["maxLength"],
               },
@@ -551,15 +551,15 @@ export default {
     "owasp:api4:2019-string-restricted": {
       message: "Schema of type string must specify a format, pattern, enum, or const.",
       description:
-        "To avoid unexpected values being sent or leaked, ensure that strings have either a format or a RegEx pattern. This can be done using `format`, `pattern`, `enum` or `const`.",
+        "To avoid unexpected values being sent or leaked, ensure that strings have either a `format`, RegEx `pattern`, `enum`, or `const`.",
       severity: DiagnosticSeverity.Error,
       given: "#StringProperties",
       then: {
         function: schema,
         functionOptions: {
           schema: {
             type: "object",
-            oneOf: [
+            anyOf: [
               {
                 required: ["format"],
               },