Hi All,
So I want to restrict the user to pass only the alpha numeric values for the specific input request.
I tried many ways like using below patter as well
<Pattern>(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+</Pattern> <Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
But when ever I tried to pass the input parameter, Its not failing for special character like below:
{ Value:"?)%" }
Solved! Go to Solution.
Hi
I'm not clear on what you're doing with the pattern structured the way it is.
<Pattern>(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+</Pattern>
You want to allow ONLY alphanumeric, right? This policy configuration works for me.
<RegularExpressionProtection name="Regular-Expression-Protection-4"> <Source>request</Source> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <JSONPayload> <JSONPath> <Expression>$.Value</Expression> <Pattern>[^-a-zA-Z0-9]</Pattern> </JSONPath> </JSONPayload> </RegularExpressionProtection>
This policy throws a fault when $.Value matches the enclosed regex.
The regex is a "negated range". So its any character NOT in the range of [-a-zA-Z0-9] .
That is all ASCII alpha, numeric, and dash. If you want to ALSO exclude dash, just remove the first dash inside the inner square brackets.
My results:
$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ "Value":"abc?" }' HTTP/1.1 500 Internal Server Error Date: Wed, 19 Sep 2018 21:36:26 GMT Content-Type: application/json Content-Length: 193 Connection: keep-alive {"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc?","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}} $ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ "Value":"abc9" }' HTTP/1.1 200 OK Date: Wed, 19 Sep 2018 21:36:33 GMT Content-Length: 21 Connection: keep-alive { "Value":"abc9" } $ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ "Value":"abc%" }' HTTP/1.1 500 Internal Server Error Date: Wed, 19 Sep 2018 21:36:40 GMT Content-Type: application/json Content-Length: 193 Connection: keep-alive {"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc%","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}}
I think that's what you're looking for.
You can try out regex in an online tool.
this one works nicely.
If you want to allow unicode alphanumeric, that's different. You will need something like this:
(?U)[^\p{Alpha}]
But I am not an expert in unicode -savvy regex, so be sure to test thoroughly.
Hi
I'm not clear on what you're doing with the pattern structured the way it is.
<Pattern>(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+</Pattern>
You want to allow ONLY alphanumeric, right? This policy configuration works for me.
<RegularExpressionProtection name="Regular-Expression-Protection-4"> <Source>request</Source> <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables> <JSONPayload> <JSONPath> <Expression>$.Value</Expression> <Pattern>[^-a-zA-Z0-9]</Pattern> </JSONPath> </JSONPayload> </RegularExpressionProtection>
This policy throws a fault when $.Value matches the enclosed regex.
The regex is a "negated range". So its any character NOT in the range of [-a-zA-Z0-9] .
That is all ASCII alpha, numeric, and dash. If you want to ALSO exclude dash, just remove the first dash inside the inner square brackets.
My results:
$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ "Value":"abc?" }' HTTP/1.1 500 Internal Server Error Date: Wed, 19 Sep 2018 21:36:26 GMT Content-Type: application/json Content-Length: 193 Connection: keep-alive {"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc?","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}} $ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ "Value":"abc9" }' HTTP/1.1 200 OK Date: Wed, 19 Sep 2018 21:36:33 GMT Content-Length: 21 Connection: keep-alive { "Value":"abc9" } $ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ "Value":"abc%" }' HTTP/1.1 500 Internal Server Error Date: Wed, 19 Sep 2018 21:36:40 GMT Content-Type: application/json Content-Length: 193 Connection: keep-alive {"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc%","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}}
I think that's what you're looking for.
You can try out regex in an online tool.
this one works nicely.
If you want to allow unicode alphanumeric, that's different. You will need something like this:
(?U)[^\p{Alpha}]
But I am not an expert in unicode -savvy regex, so be sure to test thoroughly.
Thanks Dino for your quick response.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |