Fixes stoplightio#49 by adding rules for JSON Schema unevaluatedPrope…

…rties keyword
DavidBiesack · Aug 17, 2023 · fc53df0 · fc53df0
1 parent 343043b
commit fc53df0
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -691,6 +691,27 @@ export default {
       ],
     },
 
+    /**
+     * @author: David Biesack <https://github.com/davidbiesack>,
+     * derived from owasp:api6:2019-no-additionalProperties
+     * @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
+     */
+    "owasp:api6:2019-no-unevaluatedProperties": {
+      message:
+        "If the unevaluatedProperties keyword is used it must be set to false.",
+      description:
+        "By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `unevaluatedProperties: false` or add `maxProperties`.",
+      severity: DiagnosticSeverity.Warning,
+      formats: [oas3],
+      given: '$..[?(@ && @.type=="object" && @.unevaluatedProperties)]',
+      then: [
+        {
+          field: "unevaluatedProperties",
+          function: falsy,
+        },
+      ],
+    },
+
     /**
      * @author: Roberto Polli <https://github.com/ioggstream>
      * @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
@@ -711,6 +732,27 @@ export default {
       ],
     },
 
+    /**
+     * @author: David Biesack <https://github.com/davidbiesack>,
+     * derived from owasp:api6:2019-constrained-additionalProperties
+     * @see: https://github.com/italia/api-oas-checker/blob/master/security/objects.yml
+     */
+    "owasp:api6:2019-constrained-unevaluatedProperties": {
+      message: "Objects should not allow unconstrained unevaluatedProperties.",
+      description:
+        "By default JSON Schema allows unevaluated properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation. Disable them with `unevaluatedProperties: false` or add `maxProperties`",
+      severity: DiagnosticSeverity.Warning,
+      formats: [oas3],
+      given:
+        '$..[?(@ && @.type=="object" && @.unevaluatedProperties &&  @.unevaluatedProperties!=true &&  @.unevaluatedProperties!=false )]',
+      then: [
+        {
+          field: "maxProperties",
+          function: defined,
+        },
+      ],
+    },
+
     /**
      * API7:2019 — Security misconfiguration
      *