Today I have faced the issue in RE-threat protection policy is there any way to check in the url contains any threat.
Java code:
String line = "abc?xyz=delet&mno=exec&aabb=sadfas"; String pattern = "[s]*(?i)((delete)|(exec)|(drop s*table)|(insert)|(shutdown)|(update)|(\bor\b))";
Like same above tried to achieve in proxy but I am not able to and it is not raising any exception also.
message.querystring or request.querystring.
<QueryParam name="message.querystring"> <Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern> </QueryParam>
How can I achieve it in dynamic query string?
Thanks,
Kumar P.
Yes,
The Regular Expression Protection policy is pretty flexible. As you can see in the documentation page for this policy, there are a variety of ways to select which thing you would like to analyze with the Regex:
You have configured it to analyze a particular query parameter, because you've used the QueryParam element. And the query param in particular is the one with the name "message.querystring". I think this is probably not what you intend.
Instead, I suspect you want to analyze the entire querystring, not a particular query param.
To do that, use Variable, and specify 'request.uri'. According to the doc on context variables, the request.uri variable contains the proxy base path + the remainder of the address, including query parameters. The configuration of the policy looks like this:
<RegularExpressionProtection name="RegularExpressionProtection-1"> <Source>request</Source> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <!-- request.uri is the path (incl proxy base path) query parameters --> <Variable name="request.uri"> <Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern> </Variable> </RegularExpressionProtection>
I just tried this with a request, and it worked.
$ curl -i 'https://ORG-ENV.apigee.net/regex-protect-uri/abc?xyz=delet&mno=exec&aabb=sadfas' HTTP/1.1 500 Internal Server Error Date: Wed, 08 Nov 2017 17:36:41 GMT Content-Type: application/json Content-Length: 312 Connection: keep-alive { "fault": { "faultstring": "Regular Expression Threat Detected in RegularExpressionProtection-1: regex: [\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b)) input: /regex-protect-uri/abc?xyz=delet&mno=exec&aabb=sadfas", "detail": { "errorcode": "steps.regexprotection.ThreatDetected" } } }
You'd probably want to handle that with a FaultRule, to suppress all that information. But it's working as expected I think.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |