-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updated the ruleset for OWASP API Security 2023 edition.
- Loading branch information
1 parent
2e73f8c
commit 6b0b9e4
Showing
37 changed files
with
4,811 additions
and
1,922 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,3 @@ | ||
node_modules/ | ||
dist/ | ||
.tool-versions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
# Changelog | ||
|
||
All notable changes to this project will be documented in this file. | ||
|
||
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), | ||
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). | ||
|
||
## [2.0.0] - 2024-01-23 | ||
|
||
### Added | ||
|
||
- Added `owasp:api2:2023-short-lived-access-tokens` to error on OAuth 2.x flows which do not use a refresh token. | ||
- Added `owasp:api3:2023-no-unevaluatedProperties` (format `oas3_1` only.) | ||
- Added `owasp:api3:2023-constrained-unevaluatedProperties` (format `oas3_1` only.) | ||
- Added `owasp:api5:2023-admin-security-unique`. | ||
- Added `owasp:api7:2023-concerning-url-parameter` to keep an eye out for URLs being passed as parameters and warn about server-side request forgery. | ||
- Added `owasp:api8:2023-no-server-http` which supports `servers` having a `url` which is a relative path. | ||
- Added `owasp:api9:2023-inventory-access` to indicate intended audience of every server | ||
- Added `owasp:api9:2023-inventory-environment` to declare intended environment for every server | ||
|
||
### Changed | ||
|
||
- Deleted `owasp:api2:2023-protection-global-unsafe` as it allowed for unprotected POST, PATCH, PUT, DELETE and that's always going to be an issue. Use the new `owasp:api2:2023-write-restricted` rule which does not allow these operations to ever disable security, or use [Spectral overrides](https://docs.stoplight.io/docs/spectral/e5b9616d6d50c-rulesets) if you have an edge case. | ||
- Renamed `owasp:api2:2019-protection-global-unsafe-strict` to `owasp:api2:2023-write-restricted`. | ||
- Renamed `owasp:api2:2019-protection-global-safe` to `owasp:api2:2023-read-restricted` and increased severity from `info` to `warn`. | ||
- Renamed `owasp:api2:2019-auth-insecure-schemes` to `owasp:api2:2023-auth-insecure-schemes`. | ||
- Renamed `owasp:api2:2019-jwt-best-practices` to `owasp:api2:2023-jwt-best-practices`. | ||
- Renamed `owasp:api2:2019-no-api-keys-in-url` to `owasp:api2:2023-no-api-keys-in-url`. | ||
- Renamed `owasp:api2:2019-no-credentials-in-url` to `owasp:api2:2023-no-credentials-in-url`. | ||
- Renamed `owasp:api2:2019-no-http-basic` to `owasp:api2:2023-no-http-basic`. | ||
- Renamed `owasp:api3:2019-define-error-validation` to `owasp:api8:2023-define-error-validation`. | ||
- Renamed `owasp:api3:2019-define-error-responses-401` to `owasp:api8:2023-define-error-responses-401`. | ||
- Renamed `owasp:api3:2019-define-error-responses-500` to `owasp:api8:2023-define-error-responses-500`. | ||
- Renamed `owasp:api4:2019-rate-limit` to `owasp:api4:2023-rate-limit`. | ||
- Renamed `owasp:api4:2019-rate-limit-retry-after` to `owasp:api4:2023-rate-limit-retry-after`. | ||
- Renamed `owasp:api4:2019-rate-limit-responses-429` to `owasp:api4:2023-rate-limit-responses-429`. | ||
- Renamed `owasp:api4:2019-array-limit` to `owasp:api4:2023-array-limit`. | ||
- Renamed `owasp:api4:2019-string-limit` to `owasp:api4:2023-string-limit`. | ||
- Renamed `owasp:api4:2019-string-restricted` to `owasp:api4:2023-string-restricted` and downgraded from `error` to `warn`. | ||
- Renamed `owasp:api4:2019-integer-limit` to `owasp:api4:2023-integer-limit`. | ||
- Renamed `owasp:api4:2019-integer-limit-legacy` to `owasp:api4:2023-integer-limit-legacy`. | ||
- Renamed `owasp:api4:2019-integer-format` to `owasp:api4:2023-integer-format`. | ||
- Renamed `owasp:api6:2019-no-additionalProperties` to `owasp:api3:2023-no-additionalProperties` and restricted rule to only run the `oas3_0` format. | ||
- Renamed `owasp:api6:2019-constrained-additionalProperties` to `owasp:api3:2023-constrained-additionalProperties` and restricted rule to only run the `oas3_0` format. | ||
- Renamed `owasp:api7:2023-security-hosts-https-oas2` to `owasp:api8:2023-no-scheme-http`. | ||
- Renamed `owasp:api7:2023-security-hosts-https-oas3` to `owasp:api8:2023-no-server-http`. | ||
|
||
### Removed | ||
|
||
- Deleted `owasp:api2:2023-protection-global-unsafe` as it allowed for unprotected POST, PATCH, PUT, DELETE and that's always going to be an issue. Use the new `owasp:api2:2023-write-restricted` rule which does not allow these operations to ever disable security, or use [Spectral overrides](https://docs.stoplight.io/docs/spectral/e5b9616d6d50c-rulesets) if you have an edge case. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...p-api2-2019-auth-insecure-schemes.test.ts → ...p-api2-2023-auth-insecure-schemes.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...wasp-api2-2019-jwt-best-practices.test.ts → ...wasp-api2-2023-jwt-best-practices.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...p-api2-2019-no-credentials-in-url.test.ts → ...p-api2-2023-no-credentials-in-url.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
import { DiagnosticSeverity } from "@stoplight/types"; | ||
import testRule from "./__helpers__/helper"; | ||
|
||
const authorizationCodeFlow = { | ||
authorizationUrl: "https://example.com/oauth/authorize", | ||
tokenUrl: "https://example.com/oauth/token", | ||
scopes: { | ||
read_scope: "Read access to the protected resource", | ||
write_scope: "Write access to the protected resource", | ||
}, | ||
}; | ||
|
||
const oauth2SchemeWithRefreshUrl = { | ||
type: "oauth2", | ||
flows: { | ||
authorizationCode: { | ||
...authorizationCodeFlow, | ||
refreshUrl: "https://example.com/oauth/refresh", | ||
}, | ||
}, | ||
}; | ||
|
||
const oauth2SchemeWithoutRefreshUrl = { | ||
type: "oauth2", | ||
flows: { | ||
authorizationCode: authorizationCodeFlow, | ||
}, | ||
}; | ||
|
||
testRule("owasp:api2:2023-short-lived-access-tokens", [ | ||
{ | ||
name: "valid case", | ||
document: { | ||
openapi: "3.1.0", | ||
info: { version: "1.0" }, | ||
components: { | ||
securitySchemes: { | ||
oauth2: oauth2SchemeWithRefreshUrl, | ||
}, | ||
}, | ||
}, | ||
errors: [], | ||
}, | ||
|
||
{ | ||
name: "invalid case", | ||
document: { | ||
openapi: "3.1.0", | ||
info: { version: "1.0" }, | ||
components: { | ||
securitySchemes: { | ||
oauth2: oauth2SchemeWithoutRefreshUrl, | ||
}, | ||
}, | ||
}, | ||
errors: [ | ||
{ | ||
message: | ||
"Authentication scheme does not appear to support refresh tokens, meaning access tokens likely do not expire.", | ||
path: [ | ||
"components", | ||
"securitySchemes", | ||
"oauth2", | ||
"flows", | ||
"authorizationCode", | ||
], | ||
severity: DiagnosticSeverity.Error, | ||
}, | ||
], | ||
}, | ||
]); |
Oops, something went wrong.