Can you describe in words what query string you're trying to match?
you have operation= or
Does that mean the query parameter value is " or" ? in other words, a space followed by the word "or" ?
And you want to find a regex that matches on that?
What does test=do have to do with your question? Is it related at all?
If you want to check patterns in query params, the request.uri variable will contain the URI-encoded values. That is why you see something like %20 for the space. That is expected. If you want to match against that you have two options:
- uri-decode the URI before trying to match
- match against the encoded form
For an example of the latter:
<RegularExpressionProtection name="REP-1">
<Source>request</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<!-- in the request, the request.uri is the proxy base path + the remainder of the address, including query parameters. -->
<!--
The %20 matches against an encoded space.
Therefore %20or\b matches an encoded space followed by the word "or",
followed by a word boundary.
-->
<Variable name="request.uri">
<Pattern>%20or\b</Pattern>
</Variable>
</RegularExpressionProtection>
When I send a request in like this:
curl -i "$endpoint/regex-protect-uri/t4" --data-urlencode 'operator= or' -G
...which tells curl to uri-encode the thing passed to --data-urlencode, and pass it as a query param, the REP policy flags that query param.
LinkedIn
Twitter
