Array size should be limited to mitigate resource exhaustion attacks. Resource limiting is a standard practice to ensure that services remain available and that they're not easily susceptible to attacks or overuse. One type of attack vector is sending extremely large payloads to an API endpoint, which can cause outages, slow down processing, or even potentially crash systems. OpenAPI Specification allows for the use of the maxItems keyword to define and limit the data structures that an API endpoint expecting arrays accepts. Enforcing limits in such a way will prevent an API consumer from sending more items than a service allows. The limits can act as a barrier to protect your service: If someone is trying to flood your service with unusually large payloads. Schema limits are useful for API documentation and client-side validation, but they should not be the only line of defense. Always ensure that backend implementation also enforces the specified limits.
This rule applies at the API Specification level (OAS/Swagger).
Authentication Bypass: If the API relies on arrays for authentication or authorization checks, attackers might exploit a missing array limit to bypass these controls, gaining unauthorized access to restricted resources or performing actions they shouldn't be allowed to.
