We want to raise a threat protection error if the query string has ?operation= or . I tried adding below expressions but it was not working since the space between = and or was considering as @20 in apigee.
1. <Variable name="request.querystring">
<Pattern ignoreCase="true">[\s]*((\bexec\b)|(\bdrop\b)|(\binsert\b)|(\bdelete\b)|(\bshutdown\b)|(\bupdate\b)|(\s\bor\b\s))</Pattern>
</Variable>
2. <Variable name="request.querystring">
<Pattern ignoreCase="true">[\s]*((\bexec\b)|(\bdrop\b)|(\binsert\b)|(\bdelete\b)|(\bshutdown\b)|(\bupdate\b)|(\sor\s))</Pattern>
</Variable>
Kindly let me know for the same.
Can you describe in words what query string you're trying to match?
you have operation= or
Does that mean the query parameter value is " or" ? in other words, a space followed by the word "or" ?
And you want to find a regex that matches on that?
What does test=do have to do with your question? Is it related at all?
If you want to check patterns in query params, the request.uri variable will contain the URI-encoded values. That is why you see something like %20 for the space. That is expected. If you want to match against that you have two options:
For an example of the latter:
<RegularExpressionProtection name="REP-1">
<Source>request</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<!-- in the request, the request.uri is the proxy base path + the remainder of the address, including query parameters. -->
<!--
The %20 matches against an encoded space.
Therefore %20or\b matches an encoded space followed by the word "or",
followed by a word boundary.
-->
<Variable name="request.uri">
<Pattern>%20or\b</Pattern>
</Variable>
</RegularExpressionProtection>
When I send a request in like this:
curl -i "$endpoint/regex-protect-uri/t4" --data-urlencode 'operator= or' -G
...which tells curl to uri-encode the thing passed to --data-urlencode, and pass it as a query param, the REP policy flags that query param.
User | Count |
---|---|
1 | |
1 | |
1 | |
1 | |
1 |