diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego b/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego index 049dc1c290a..dd7cb17f9bf 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/query.rego @@ -9,7 +9,8 @@ CxPolicy[result] { [path, value] := walk(doc) content = value.content[mime] - is_object(content) + # Ensure "content" inside "properties" is treated as a field name, not an OpenAPI content spec. + not path[count(path) - 1] == "properties" not openapi_lib.is_valid_mime(mime) result := { diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative3.yaml b/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative3.yaml index 1d6efb7d67f..0a5e6d1204c 100644 --- a/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative3.yaml +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative3.yaml @@ -47,8 +47,6 @@ paths: properties: content: type: string - - responses: '201': description: Pet added successfully @@ -68,4 +66,3 @@ paths: content: application/json: example: { "name": "Fido", "species": "dog" } - diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative5.yaml b/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative5.yaml new file mode 100644 index 00000000000..a64143bdbc7 --- /dev/null +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative5.yaml @@ -0,0 +1,76 @@ +openapi: 3.0.0 +info: + title: Pet Store API + version: 1.0.0 +servers: + - url: https://api.example.com/v1 +paths: + /pets: + get: + summary: Get a list of pets + responses: + '200': + description: Successful response + content: + application/json: + example: { "pets": ["dog", "cat"] } + post: + summary: Add a new pet + requestBody: + content: + application/json: + schema: + type: object + properties: + name: + type: string + example: "Fido" + pattern: "^[A-Za-z]{1,20}$" + species: + type: string + example: "dog" + color: + type: string + enum: + - brown + - grey + - black + - white + birthDate: + type: string + format: date + weight: + type: integer + format: int32 + someSubType: + type: 'object' + properties: + content: + type: 'object' + properties: + content: + type: object + properties: + key1: + type: string + key2: + type: integer + responses: + '201': + description: Pet added successfully + /pets/{petId}: + get: + summary: Get details of a specific pet + parameters: + - name: petId + in: path + required: true + schema: + type: integer + format: int64 + responses: + '200': + description: Successful response + content: + application/json: + example: { "name": "Fido", "species": "dog" } diff --git a/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative6.json b/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative6.json new file mode 100644 index 00000000000..9a9dc9cc1d5 --- /dev/null +++ b/assets/queries/openAPI/3.0/invalid_media_type_value/test/negative6.json @@ -0,0 +1,116 @@ +{ + "openapi": "3.0.0", + "info": { + "title": "Pet Store API", + "version": "1.0.0" + }, + "servers": [ + { + "url": "https://api.example.com/v1" + } + ], + "paths": { + "/pets": { + "get": { + "summary": "Get a list of pets", + "responses": { + "200": { + "description": "Successful response", + "content": { + "application/json": { + "example": { "pets": ["dog", "cat"] } + } + } + } + } + }, + "post": { + "summary": "Add a new pet", + "requestBody": { + "content": { + "application/json": { + "schema": { + "type": "object", + "properties": { + "name": { + "type": "string", + "example": "Fido", + "pattern": "^[A-Za-z]{1,20}$" + }, + "species": { + "type": "string", + "example": "dog" + }, + "color": { + "type": "string", + "enum": ["brown", "grey", "black", "white"] + }, + "birthDate": { + "type": "string", + "format": "date" + }, + "weight": { + "type": "integer", + "format": "int32" + }, + "someSubType": { + "type": "object", + "properties": { + "content": { + "type": "object", + "properties": { + "content": { + "type": "object", + "properties": { + "key1": { + "type": "string" + }, + "key2": { + "type": "integer" + } + } + } + } + } + } + } + } + } + } + } + }, + "responses": { + "201": { + "description": "Pet added successfully" + } + } + } + }, + "/pets/{petId}": { + "get": { + "summary": "Get details of a specific pet", + "parameters": [ + { + "name": "petId", + "in": "path", + "required": true, + "schema": { + "type": "integer", + "format": "int64" + } + } + ], + "responses": { + "200": { + "description": "Successful response", + "content": { + "application/json": { + "example": { "name": "Fido", "species": "dog" } + } + } + } + } + } + } + } +} diff --git a/go.mod b/go.mod index 547f145f823..510eddacd07 100644 --- a/go.mod +++ b/go.mod @@ -40,7 +40,7 @@ require ( github.com/yargevad/filepathx v1.0.0 github.com/zclconf/go-cty v1.14.4 golang.org/x/net v0.34.0 - golang.org/x/text v0.21.0 + golang.org/x/text v0.22.0 golang.org/x/tools v0.26.0 gopkg.in/yaml.v3 v3.0.1 helm.sh/helm/v3 v3.17.1 @@ -210,11 +210,11 @@ require ( github.com/xlab/treeprint v1.2.0 // indirect github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - golang.org/x/crypto v0.32.0 // indirect - golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sync v0.10.0 // indirect - golang.org/x/sys v0.29.0 // indirect - golang.org/x/term v0.28.0 // indirect + golang.org/x/crypto v0.35.0 // indirect + golang.org/x/oauth2 v0.27.0 // indirect + golang.org/x/sync v0.11.0 // indirect + golang.org/x/sys v0.30.0 // indirect + golang.org/x/term v0.29.0 // indirect golang.org/x/time v0.7.0 // indirect google.golang.org/grpc v1.68.1 // indirect google.golang.org/protobuf v1.35.2 // indirect diff --git a/go.sum b/go.sum index a07b088427e..14417330502 100644 --- a/go.sum +++ b/go.sum @@ -920,8 +920,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.32.0 h1:euUpcYgM8WcP71gNpTqQCn6rC2t6ULUPiOzfWaXVVfc= -golang.org/x/crypto v0.32.0/go.mod h1:ZnnJkOaASj8g0AjIduWNlq2NRxL0PlBrbKVyZ6V/Ugc= +golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= +golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1039,8 +1039,8 @@ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri golang.org/x/oauth2 v0.0.0-20220909003341-f21342109be1/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20221014153046-6fdb5e3db783/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= -golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= -golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M= +golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1055,8 +1055,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220929204114-8fcdb60fdcc0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= -golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w= +golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -1127,13 +1127,13 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU= -golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= +golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg= -golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek= +golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= +golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1144,8 +1144,8 @@ golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= -golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= +golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=