This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

AssignMessage payload parameters pollution

Posted on 09-19-2022 05:36 AM
nmarkevich
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi there,

I observe some unexpected behaviour in AssignMessage policy.

Consider the following example as per documentation

 

<AssignMessage name="set-payload-3">
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{variable_name}"}
    </Payload>
  </Set>
</AssignMessage>

 

Lets imagine that variable_name is extracted from query using ExtractVariables

 

<QueryParam name="param">
    <Pattern ignoreCase="true">{variable_name}</Pattern>
</QueryParam>

 

But what if queryparam named param contains quotes? Well, I expect that AssignMessage will do all things (I mean escape all quotes in order to prevent payload pollution, like it encodes queryparameters to avoid HTTP Parameter Pollution). But no, there is no escaping here.

 

I understand that generation of Payload should be flexible, since Apigee allows to generate not only JSON payload, but XML and plain payload too... But there is no warning in the documentation, that using Apigee in that way opens a door for an adversary to pollute request to the target system. And I think that this can be considered as an issue.

 

Solved Solved
0 2 106
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes.  and in a simpler case, this also won't give you joy:

 

<AssignMessage name="set-payload-3">
  <AssignVariable>
    <Name>variable-name</Name>
    <Value>little bobby tables"!</Name>
  </AssignVariable>
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{variable-name}"}
    </Payload>
  </Set>
</AssignMessage>

 

Because there is a quote in the variable value, doing the simple string substitution will result in invalid JSON in the Payload. 

When using AssignMessage to set a Payload, it's the responsibility of the API proxy developer to insure that the payload that gets constructed is valid JSON. If for some reason you suspect that your data is not valid JSON, then you would need to escape it. There is an escapeJSON function available in message templates, for this purpose:

 

<AssignMessage name="set-payload-3">
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{escapeJSON(variable-name)}"}
    </Payload>
  </Set>
</AssignMessage>

 

 

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Yes.  and in a simpler case, this also won't give you joy:

 

<AssignMessage name="set-payload-3">
  <AssignVariable>
    <Name>variable-name</Name>
    <Value>little bobby tables"!</Name>
  </AssignVariable>
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{variable-name}"}
    </Payload>
  </Set>
</AssignMessage>

 

Because there is a quote in the variable value, doing the simple string substitution will result in invalid JSON in the Payload. 

When using AssignMessage to set a Payload, it's the responsibility of the API proxy developer to insure that the payload that gets constructed is valid JSON. If for some reason you suspect that your data is not valid JSON, then you would need to escape it. There is an escapeJSON function available in message templates, for this purpose:

 

<AssignMessage name="set-payload-3">
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{escapeJSON(variable-name)}"}
    </Payload>
  </Set>
</AssignMessage>

 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
nmarkevich
Bronze 3
Bronze 3
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

Thank you so much @dchiesa1

Jump to Solution
0 Likes
Top Solution Authors
View all