APIgee Docs provided Regular exp protection patterns are not tested properly. They are not wokring after XML encoding of tags. I am trying the
After the XML encoding of the tag it looks like this, the first pattern do not capture the error it pass through,
<JSONPayload> <JSONPath escapeSlashCharacter="true"> <Expression>$</Expression> <Pattern>(?i)(.*(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>).*)</Pattern> </JSONPath> </JSONPayload>
We have encoded the below pattern
<Pattern><\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*></Pattern>
This is the body I am passing,
{"myvar": "hii", "someParam": "12345 <script>alert(1)</script>"}
But it passess through, but when I tried with changing the Expresion from
<Expression>$</Expression>
to
<Expression>$.someParam</Expression>
Then it is getting blocked.
So Apigee internally is able to convert the "<" and comapre with pattern given in the Regualr exp, but it needs explicit variable Name which contain the blcoked pattern.
And from @Dino , we have used one answer as well,
<PatternignoreCase="false"><![CDATA[<\s*script\b[^>]*>[^<]+<\s*\/\s*script\s*>]]></Pattern>
but that also is not working. to block our keyword.
Please look into this and help us.
Tagging few folks, @Dino @Sudhee Sreedhara @wwitman @AMAR DEVEGOWDA @Anil Sagar
Answer by Dino
·
Jan 23, 2018 at 06:09 PM
My advice: Don't use the JSONPayload.
Just apply the regex against the request.content.
Maybe use JavaScript to do so.
There's a previous Q&A on this site describing how to do that.
Thank you Dino for your response,
I have tried that java script as well, but it is also not catching the error,
var reqBody = context.getVariable("request.content"); print(reqBody);
regex[0] = RegExp("[\s]*(<\s*script\b[^>]*>[^<]+<\s*\/\s*script\b\s*>)","i");
if (regex[0].test(reqBody)) { print("req body contains threat"); }
But this is also not blocking the error.
Please advice.
Answer by Vinit Tyagi · Apr 18, 2018 at 07:45 PM
@Ziaur Raheman Khan You can throw the error in java script in place of printing
throw new Error("headers rejected as unsafe.");