From 813478db6c7fbc5fb7a05b9932b50aa082e076c1 Mon Sep 17 00:00:00 2001 From: kicsbot <76819998+kicsbot@users.noreply.github.com> Date: Wed, 21 Apr 2021 13:24:48 +0300 Subject: [PATCH] [kicsbot] Update queries catalog (#2935) Co-authored-by: rogeriopeixotocx --- docs/queries/all-queries.md | 9 +++++++++ docs/queries/openapi-queries.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/docs/queries/all-queries.md b/docs/queries/all-queries.md index 9b7d9a8f93a..f61f96c5f9d 100644 --- a/docs/queries/all-queries.md +++ b/docs/queries/all-queries.md @@ -894,10 +894,15 @@ This page contains all queries. |Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|OpenAPI|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| |Global security field has an empty object
543e38f4-1eee-479e-8eb0-15257013aa0a|OpenAPI|High|Access Control|Global security definition must not have empty objects|Documentation
| |No Global And Operation Security Defined
96729c6b-7400-4d9e-9807-17f00cdde4d2|OpenAPI|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|Implicit Flow in OAuth2
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|OpenAPI|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| |Invalid OAuth2 Authorization URL
52c0d841-60d6-4a81-88dd-c35fef36d315|OpenAPI|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| |Invalid OAuth2 Token URL
3ba0cca1-b815-47bf-ac62-1e584eb64a05|OpenAPI|Medium|Access Control| OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| |Path Server Object Uses HTTP
9670f240-7b4d-4955-bd93-edaa9fa38b58|OpenAPI|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|OpenAPI|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| +|Success Response Code Defined for Patch Operation
1908a8ee-927d-4166-8f18-241152170cc1|OpenAPI|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Defined for Put Operation
60b5f56b-66ff-4e1c-9b62-5753e16825bc|OpenAPI|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Defined for Delete Operation
3b497874-ae59-46dd-8d72-1868a3b8f150|OpenAPI|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Defined for Post Operation
f368dd2d-9344-4146-a05b-7c6faa1269ad|OpenAPI|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| |Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|OpenAPI|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| |Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|OpenAPI|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| |Invalid Contact Email
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|OpenAPI|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| @@ -908,10 +913,14 @@ This page contains all queries. |Response Object With Incorrect Ref
b3871dd8-9333-4d6c-bd52-67eb898b71ab|OpenAPI|Info|Structure and Semantics|Response Object reference must always point to '#components/responses'|Documentation
| |Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|OpenAPI|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| |Path Parameter Not Required
0de50145-e845-47f4-9a15-23bcf2125710|OpenAPI|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|OpenAPI|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|OpenAPI|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| |Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|OpenAPI|Info|Structure and Semantics|Request Body reference must always point to '#components/RequestBodies'|Documentation
| |Schema Discriminator Not Required
b481d46c-9c61-480f-86d9-af07146dc4a4|OpenAPI|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| |Responses With Wrong HTTP Status Code
d86655c0-92f6-4ffc-b4d5-5b5775804c27|OpenAPI|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| |Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| +|Parameter Objects Headers With Duplicated Name
05505192-ba2c-4a81-9b25-dcdbcc973746|OpenAPI|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| |Paths Object is Empty
815021c8-a50c-46d9-b192-24f71072c400|OpenAPI|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| |Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|OpenAPI|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| |Parameter Object With Incorrect Ref
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|OpenAPI|Info|Structure and Semantics|Parameter Object reference must always point to '#components/parameters'|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|OpenAPI|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
| diff --git a/docs/queries/openapi-queries.md b/docs/queries/openapi-queries.md index e3cc2958468..5103c4710f4 100644 --- a/docs/queries/openapi-queries.md +++ b/docs/queries/openapi-queries.md @@ -10,10 +10,15 @@ This page contains all queries from OpenAPI. |Field 'securityScheme' On Components Is Undefined
8db5544e-4874-4baa-9322-e9f75a2d219e|High|Access Control|Components' securityScheme field must have a valid scheme|Documentation
| |Global security field has an empty object
543e38f4-1eee-479e-8eb0-15257013aa0a|High|Access Control|Global security definition must not have empty objects|Documentation
| |No Global And Operation Security Defined
96729c6b-7400-4d9e-9807-17f00cdde4d2|High|Access Control|All paths should have security scheme, if it is omitted, global security field should be defined|Documentation
| +|Implicit Flow in OAuth2
4a1f3d75-ab73-41b2-83e7-06a93dc3a75a|Medium|Access Control|There is a 'securityScheme' using implicit flow on OAuth2, which is deprecated|Documentation
| |Invalid OAuth2 Authorization URL
52c0d841-60d6-4a81-88dd-c35fef36d315|Medium|Access Control|The field authorizationUrl on implicit or authorizationCode fields from OAuth must be a valid URL|Documentation
| |Invalid OAuth2 Token URL
3ba0cca1-b815-47bf-ac62-1e584eb64a05|Medium|Access Control| OAuth2 security scheme flow requires a valid URL in the tokenUrl field|Documentation
| |Path Server Object Uses HTTP
9670f240-7b4d-4955-bd93-edaa9fa38b58|Medium|Encryption|The property 'url' in the Path Server Object should only allow 'HTTPS' protocols to ensure an encrypted connection|Documentation
| |Global Server Object Uses HTTP
2d8c175a-6d90-412b-8b0e-e034ea49a1fe|Medium|Encryption|Global server object URL should use 'https' protocol instead of 'http'|Documentation
| +|Success Response Code Defined for Patch Operation
1908a8ee-927d-4166-8f18-241152170cc1|Medium|Networking and Firewall|Patch should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Defined for Put Operation
60b5f56b-66ff-4e1c-9b62-5753e16825bc|Medium|Networking and Firewall|Put should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Defined for Delete Operation
3b497874-ae59-46dd-8d72-1868a3b8f150|Medium|Networking and Firewall|Delete should define at least one success response (200, 201, 202 or 204)|Documentation
| +|Success Response Code Defined for Post Operation
f368dd2d-9344-4146-a05b-7c6faa1269ad|Medium|Networking and Firewall|Post should define at least one success response (200, 201, 202 or 204)|Documentation
| |Undefined Scope 'securityScheme' On Global 'security' Field
23a9e2d9-8738-4556-a71c-2802b6ffa022|Low|Access Control|Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| |Undefined Scope 'securityScheme' On 'security' Field On Operations
462d6a1d-fed9-4d75-bb9e-3de902f35e6e|Low|Access Control|Using an scope on security of operations that is undefined on 'securityScheme' can be defined by an attacker|Documentation
| |Invalid Contact Email
b1a7fcb0-2afe-4d5c-a6a1-4e6311fc29e7|Info|Best Practices|Contact Object Email should be a valid email|Documentation
| @@ -24,10 +29,14 @@ This page contains all queries from OpenAPI. |Response Object With Incorrect Ref
b3871dd8-9333-4d6c-bd52-67eb898b71ab|Info|Structure and Semantics|Response Object reference must always point to '#components/responses'|Documentation
| |Servers Array Undefined
c66ebeaa-676c-40dc-a3ff-3e49395dcd5e|Info|Structure and Semantics|The Servers array should have at least one server defined. If not, the default value would be a Server Object with a URL value of '/'.|Documentation
| |Path Parameter Not Required
0de50145-e845-47f4-9a15-23bcf2125710|Info|Structure and Semantics|The property 'required' determines whether the parameter is mandatory. If the parameter location is 'path', this property is required and its value must be true.|Documentation
| +|Server URL Not Absolute
a0bf7382-5d5a-4224-924c-3db8466026c9|Info|Structure and Semantics|The Server URL should be an absolute URL|Documentation
| +|Invalid Content Type For Multiple Files Upload
26f06397-36d8-4ce7-b993-17711261d777|Info|Structure and Semantics|Content Type should be set to 'multipart/form-data' in case of uploading an arbitrary number of files (array)|Documentation
| |Request Body With Incorrect Ref
0f6cd0ab-c366-4595-84fc-fbd8b9901e4d|Info|Structure and Semantics|Request Body reference must always point to '#components/RequestBodies'|Documentation
| |Schema Discriminator Not Required
b481d46c-9c61-480f-86d9-af07146dc4a4|Info|Structure and Semantics|The discriminator property in the Schema Object should be a required property|Documentation
| |Responses With Wrong HTTP Status Code
d86655c0-92f6-4ffc-b4d5-5b5775804c27|Info|Structure and Semantics|HTTP Responses status code should be in range of [200-599]|Documentation
| |Parameter Object With Schema And Content
31dd6fc0-f274-493b-9614-e063086c19fc|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property, but not both since they are mutually exclusive|Documentation
| +|Parameter Objects Headers With Duplicated Name
05505192-ba2c-4a81-9b25-dcdbcc973746|Info|Structure and Semantics|Parameter Objects should not have duplicate names for 'header' location, since HTTP headers are not case sensitive.|Documentation
| |Paths Object is Empty
815021c8-a50c-46d9-b192-24f71072c400|Info|Structure and Semantics|Paths object may be empty due to ACL constraints, meaning they are not exposed|Documentation
| |Parameter Object With Undefined Type
46facedc-f243-4108-ab33-583b807d50b0|Info|Structure and Semantics|A Parameter Object must contain either a 'schema' property, or a 'content' property|Documentation
| |Parameter Object With Incorrect Ref
d40f27e6-15fb-4b56-90f8-fc0ff0291c51|Info|Structure and Semantics|Parameter Object reference must always point to '#components/parameters'|Documentation
| +|Link Object OperationId Does Not Target Operation Object
c5bb7461-aa57-470b-a714-3bc3d74f4669|Info|Structure and Semantics|Link object 'OperationId' should target an existing operation object in the OpenAPI definition|Documentation
|