feat: 500 messages now require content too

stoplightio · Dec 31, 2022 · edb735b · edb735b
1 parent 2791084
commit edb735b
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 2 deletions.
diff --git a/__tests__/owasp-api3-2019-define-error-responses-500.test.ts b/__tests__/owasp-api3-2019-define-error-responses-500.test.ts
@@ -0,0 +1,85 @@
+import { DiagnosticSeverity } from "@stoplight/types";
+import testRule from "./__helpers__/helper";
+
+testRule("owasp:api3:2019-define-error-responses-500", [
+  {
+    name: "valid: defines a 500 response with content",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "500": {
+                description: "ok",
+                content: {
+                  "application/problem+json": {},
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [],
+  },
+
+  {
+    name: "invalid: 500 is not defined at all",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "200": {
+                description: "ok",
+                content: {
+                  "application/json": {},
+                },
+              },
+            },
+          },
+        },
+      },
+    },
+    errors: [
+      {
+        message: "Operation is missing responses[500].",
+        path: ["paths", "/", "get", "responses"],
+        severity: DiagnosticSeverity.Warning,
+      },
+      {
+        message: "Operation is missing responses[500].content.",
+        path: ["paths", "/", "get", "responses"],
+        severity: DiagnosticSeverity.Warning,
+      },
+    ],
+  },
+
+  {
+    name: "invalid: 500 exists but content is missing",
+    document: {
+      openapi: "3.1.0",
+      info: { version: "1.0" },
+      paths: {
+        "/": {
+          get: {
+            responses: {
+              "500": {},
+            },
+          },
+        },
+      },
+    },
+    errors: [
+      {
+        message: "Operation is missing [500].content.",
+        path: ["paths", "/", "get", "responses", "500"],
+        severity: DiagnosticSeverity.Warning,
+      },
+    ],
+  },
+]);
diff --git a/src/ruleset.ts b/src/ruleset.ts
@@ -392,15 +392,20 @@ export default {
      * @author: Jason Harmon <https://github.com/jharmn>
      */
     "owasp:api3:2019-define-error-responses-500": {
-      message: "{{description}}. Missing {{property}}",
-      description: "500 response should be defined.",
+      message: "Operation is missing {{property}}.",
+      description:
+        "OWASP API Security recommends defining schemas for all responses, even errors. The 500 describes what happens when a request fails with an internal server error, so its important to define this not just for documentation, but to empower contract testing to make sure the proper JSON structure is being returned instead of leaking implementation details in backtraces.",
       severity: DiagnosticSeverity.Warning,
       given: "$.paths..responses",
       then: [
         {
           field: "500",
           function: truthy,
         },
+        {
+          field: "500.content",
+          function: truthy,
+        },
       ],
     },