forked from italia/api-oas-checker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
secrets-parameters.yml
61 lines (54 loc) · 1.62 KB
/
secrets-parameters.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
rules:
sec-apikeys-url:
description: |-
API Keys are (usually opaque) strings that
are passed in headers, cookies or query parameters
to access APIs.
Those keys can be eavesdropped, especially when they are stored
in cookies or passed as URL parameters.
```
security:
- ApiKey: []
paths:
/books: {}
/users: {}
securitySchemes:
ApiKey:
type: apiKey
in: cookie
name: X-Api-Key
```
message: >-
ApiKey passed in URL: {{error}}.
formats:
- oas3
severity: error
recommended: true
given:
- >-
$..[securitySchemes][?(@ && @.type=="apiKey")].in
then:
- function: pattern
functionOptions:
notMatch: >-
^(query)$
sec-credentials-parameters: &sec-credentials-parameters
description: |-
URL parameters MUST NOT contain credentials such as
apikey, password, or secret.
See [RAC_GEN_004](https://docs.italia.it/italia/piano-triennale-ict/lg-modellointeroperabilita-docs/it/bozza/doc/04_Raccomandazioni%20di%20implementazione/04_raccomandazioni-tecniche-generali/01_globali.html?highlight=credenziali#rac-gen-004-non-passare-credenziali-o-dati-riservati-nellurl)
message: >-
Credentials are sent via URLs. {{path}} {{error}}
formats:
- oas3
severity: error
recommended: true
given:
- >-
$..parameters[?(@ && @.in && @.in.match(/query|path/))].name
then:
- field: name
function: pattern
functionOptions:
notMatch: >-
/^.*(password|secret|apikey).*$/i