Operation objects for PUT, POST, and PATCH operations do not have a 'consumes' field defined
Description
This policy checks if operation objects in the API version 2.0 files have the 'consumes' field defined for PUT, POST and PATCH operations. The 'consumes' field is important because it specifies the MIME types that the operation or endpoint can handle. If this field is not defined, the API may process requests with unspecified or incorrect content types, leading to errors or security vulnerabilities. It may also invite compatibility issues, as some clients may send requests in a format that the API does not support. Therefore, it's crucial to define the 'consumes' field for ensuring the correct operation of the API and safeguarding it from potential threats.
Code Example
paths:
/users:
post:
summary: Creates a new user.
consumes: # Add this field
- application/json
parameters:
- in: body
name: user
description: The user to create.
schema:
$ref: '#/definitions/User'Remediation
OpenAPI
To fix this issue, you need to ensure that every operation object for PUT, POST and PATCH in your OpenAPI description (version 2.0 files) has the 'consumes' field defined. The 'consumes' field indicates what MIME types the operation can consume.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-1273 |
| Severity | MEDIUM |
| IaC Type | OpenAPI |
| Frameworks | OpenAPI |
| Checkov ID | CKV_OPENAPI_17 |