Yes,
The Regular Expression Protection policy is pretty flexible. As you can see in the documentation page for this policy, there are a variety of ways to select which thing you would like to analyze with the Regex:
- URIPath
- QueryParam
- FormParam
- Header
- XMLPayload
- JSONPayload
- Variable
You have configured it to analyze a particular query parameter, because you've used the QueryParam element. And the query param in particular is the one with the name "message.querystring". I think this is probably not what you intend.
Instead, I suspect you want to analyze the entire querystring, not a particular query param.
To do that, use Variable, and specify 'request.uri'. According to the doc on context variables, the request.uri variable contains the proxy base path + the remainder of the address, including query parameters. The configuration of the policy looks like this:
<RegularExpressionProtection name="RegularExpressionProtection-1">
<Source>request</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<!-- request.uri is the path (incl proxy base path) query parameters -->
<Variable name="request.uri">
<Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</Variable>
</RegularExpressionProtection>
I just tried this with a request, and it worked.
$ curl -i 'https://ORG-ENV.apigee.net/regex-protect-uri/abc?xyz=delet&mno=exec&aabb=sadfas'
HTTP/1.1 500 Internal Server Error
Date: Wed, 08 Nov 2017 17:36:41 GMT
Content-Type: application/json
Content-Length: 312
Connection: keep-alive
{
"fault": {
"faultstring": "Regular Expression Threat Detected in RegularExpressionProtection-1: regex: [\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b)) input: /regex-protect-uri/abc?xyz=delet&mno=exec&aabb=sadfas",
"detail": {
"errorcode": "steps.regexprotection.ThreatDetected"
}
}
}
You'd probably want to handle that with a FaultRule, to suppress all that information. But it's working as expected I think.
LinkedIn
Twitter
