You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
According to the OpenAPI spec the components field isn't required:
The OpenAPI document MUST contain at least one paths field, a components field or a webhooks field.
So, for clarity, this spec requires you have at least one of the following properties: paths, components or webhooks. You don't have to have all three. You could just have paths, or just have components, or just have webhooks, or any combination of the three.
There's several OWASP rules that assume a components property exists without checking first, which is problematic as we've established it's optional in the specification as long as you have at least a paths or webhooks property instead. For example in auth_insecure_schemes.go:
According to the OpenAPI spec the components field isn't required:
So, for clarity, this spec requires you have at least one of the following properties:
paths
,components
orwebhooks
. You don't have to have all three. You could just havepaths
, or just havecomponents
, or just havewebhooks
, or any combination of the three.There's several OWASP rules that assume a
components
property exists without checking first, which is problematic as we've established it's optional in the specification as long as you have at least apaths
orwebhooks
property instead. For example inauth_insecure_schemes.go
:vacuum/functions/owasp/auth_insecure_schemes.go
Line 31 in 3330e3a
If you try to generate a spectral report for a spec with no
components
property you'll get a panic due to a nil pointer dereference:You might get a panic in a different rule for the same reason - they're all run in different goroutines. The affected rules afaik are:
AuthInsecureSchemes
JWTBestPractice
NoApiKeyInUrl
NoBasicAuth
NoApiKeyInUrl
I'll try and get a patch PR out for this this afternoon/tomorrow morning (GMT).
The text was updated successfully, but these errors were encountered: