regularexpression from xmlpayload

Not applicable

I have create a proxy with no endpoint .Attached regular expression protection policy(Regular Expression Protection-XML) to request flow.I am trying to extract a variable from xml payload using XPATH and evaluates based on expression .If expression matches it has to throw exception by using Raise fault policy ,but here it is not happening.

<RegularExpressionProtection name="Regular-Expression-Protection-XML">
  <DisplayName>Regular Expression Protection-XML</DisplayName>
  <Properties/>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <Source>request</Source>
  <XMLPayload>
    <Namespaces/>
    <XPath>
      <Pattern ignoreCase="false">[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
      <Expression>//VehicleDetails/VIN</Expression>
      <Type>string</Type>
    </XPath>
  </XMLPayload>
</RegularExpressionProtection>

If pattern matches it has to raise exception. This is the RaiseFault:

<RaiseFault name="RegExpressionErrorXML">
  <DisplayName>RegExpressionErrorXML</DisplayName>
  <Properties/>
  <FaultResponse>
    <Set>
      <Payload contentType="application/json">{
      "error" : {
        "code" : 500,
        "message" : "that was a bad request; try different one."
      }
}
</Payload>
      <StatusCode>500</StatusCode>
      <ReasonPhrase>Server Error</ReasonPhrase>
    </Set>
  </FaultResponse>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>


proxy.xml:

<ProxyEndpoint name="default">
  <Description/>
  <FaultRules>
    <FaultRule name="regex-threat">
      <Step><Name>RegExpressionErrorXML</Name></Step>
      <Condition>(fault.name = "ThreatDetected")</Condition>
    </FaultRule>
  </FaultRules>
  <PreFlow name="PreFlow">
    <Request>
      <Step>
        <Name>RE-Regular-Expression-Protection-XML</Name>
      </Step>
    </Request>
    <Response/>
  </PreFlow>
  ...

Request:I have sent below request as 'POST' method

<VehicleDetails>
  <VIN>/delete</VIN>
  <Model>Auston Martin</Model>
  <heading>Reminder</heading>
</VehicleDetails>

please suggest me ,if anything wrong with code

Solved Solved
1 1 893
1 ACCEPTED SOLUTION

It works for me? If I pass the request this way:

curl -i https://cap500-test.apigee.net/veeraraghavendra-1/t1 \
  -H content-type:application/xml \
  -d '<VehicleDetails>
   <VIN>/delete</VIN>
   <Model>Auston Martin</Model>
   <heading>Reminder</heading>
</VehicleDetails>' 

..then I get a rejection, like this:

HTTP/1.1 400 Bad Request
Date: Wed, 01 Mar 2017 19:26:53 GMT
Content-Type: application/json
Content-Length: 117
Connection: keep-alive
Server: Apigee Router


{
      "error" : {
        "code" : 400,
        "message" : "that was a bad request; try different one."
      }
}

I just took the code and policies you had there, and ran it in a proxy I created, then imported and deployed in my organization. It worked as you desired. If I pass an XML payload that does not include /delete for the VIN, then it does not get rejected. This request:

curl -i https://cap500-test.apigee.net/veeraraghavendra-1/t1 \
  -H content-type:application/xml \
  -d '<VehicleDetails>
   <VIN>ok-vin-123</VIN>
   <Model>Auston Martin</Model>
   <heading>Reminder</heading>
</VehicleDetails>' 

...returns just fine.

Attached please find the proxy bundle.

Maybe the reason you are seeing different results is the content-type header you are using on the request? The XPath will fail to extract if you pass a non-XML content-type (not application/xml and not text/xml). That would cause the RegularExpression policy to also fail. But to be precise, "fail" is not the correct word... Actually it would do nothing. But it would be working as designed, though not working as you desire or expect.

apiproxy-veeraraghavendra-1-20170301-112323.zip

View solution in original post

1 REPLY 1

It works for me? If I pass the request this way:

curl -i https://cap500-test.apigee.net/veeraraghavendra-1/t1 \
  -H content-type:application/xml \
  -d '<VehicleDetails>
   <VIN>/delete</VIN>
   <Model>Auston Martin</Model>
   <heading>Reminder</heading>
</VehicleDetails>' 

..then I get a rejection, like this:

HTTP/1.1 400 Bad Request
Date: Wed, 01 Mar 2017 19:26:53 GMT
Content-Type: application/json
Content-Length: 117
Connection: keep-alive
Server: Apigee Router


{
      "error" : {
        "code" : 400,
        "message" : "that was a bad request; try different one."
      }
}

I just took the code and policies you had there, and ran it in a proxy I created, then imported and deployed in my organization. It worked as you desired. If I pass an XML payload that does not include /delete for the VIN, then it does not get rejected. This request:

curl -i https://cap500-test.apigee.net/veeraraghavendra-1/t1 \
  -H content-type:application/xml \
  -d '<VehicleDetails>
   <VIN>ok-vin-123</VIN>
   <Model>Auston Martin</Model>
   <heading>Reminder</heading>
</VehicleDetails>' 

...returns just fine.

Attached please find the proxy bundle.

Maybe the reason you are seeing different results is the content-type header you are using on the request? The XPath will fail to extract if you pass a non-XML content-type (not application/xml and not text/xml). That would cause the RegularExpression policy to also fail. But to be precise, "fail" is not the correct word... Actually it would do nothing. But it would be working as designed, though not working as you desire or expect.

apiproxy-veeraraghavendra-1-20170301-112323.zip