This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to set the regular expression policy for special character using Regular expression policy

Posted on 09-19-2018 05:20 AM
umannggoel
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

So I want to restrict the user to pass only the alpha numeric values for the specific input request.

I tried many ways like using below patter as well

<Pattern>(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+</Pattern> 

<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>

But when ever I tried to pass the input parameter, Its not failing for special character like below:

{
Value:"?)%"
}
Solved Solved
0 2 1,461
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi

I'm not clear on what you're doing with the pattern structured the way it is. 

<Pattern>(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+</Pattern>

You want to allow ONLY alphanumeric, right? This policy configuration works for me. 

<RegularExpressionProtection name="Regular-Expression-Protection-4">
    <Source>request</Source>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <JSONPayload>
        <JSONPath>
            <Expression>$.Value</Expression>
            <Pattern>[^-a-zA-Z0-9]</Pattern>
        </JSONPath>
    </JSONPayload>
</RegularExpressionProtection>

This policy throws a fault when $.Value matches the enclosed regex.

The regex is a "negated range". So its any character NOT in the range of [-a-zA-Z0-9] .

That is all ASCII alpha, numeric, and dash. If you want to ALSO exclude dash, just remove the first dash inside the inner square brackets.

My results: 

$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ 
  "Value":"abc?"
}' 
HTTP/1.1 500 Internal Server Error
Date: Wed, 19 Sep 2018 21:36:26 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive


{"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc?","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}}


$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ 
  "Value":"abc9"
}' 
HTTP/1.1 200 OK
Date: Wed, 19 Sep 2018 21:36:33 GMT
Content-Length: 21
Connection: keep-alive


{ 
  "Value":"abc9"
}


$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ 
  "Value":"abc%"
}' 
HTTP/1.1 500 Internal Server Error
Date: Wed, 19 Sep 2018 21:36:40 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive


{"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc%","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}}

I think that's what you're looking for.

You can try out regex in an online tool.

this one works nicely.

If you want to allow unicode alphanumeric, that's different. You will need something like this: 

(?U)[^\p{Alpha}]

But I am not an expert in unicode -savvy regex, so be sure to test thoroughly.

View solution in original post

Jump to Solution
2 REPLIES 2

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Hi

I'm not clear on what you're doing with the pattern structured the way it is. 

<Pattern>(/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+</Pattern>

You want to allow ONLY alphanumeric, right? This policy configuration works for me. 

<RegularExpressionProtection name="Regular-Expression-Protection-4">
    <Source>request</Source>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <JSONPayload>
        <JSONPath>
            <Expression>$.Value</Expression>
            <Pattern>[^-a-zA-Z0-9]</Pattern>
        </JSONPath>
    </JSONPayload>
</RegularExpressionProtection>

This policy throws a fault when $.Value matches the enclosed regex.

The regex is a "negated range". So its any character NOT in the range of [-a-zA-Z0-9] .

That is all ASCII alpha, numeric, and dash. If you want to ALSO exclude dash, just remove the first dash inside the inner square brackets.

My results: 

$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ 
  "Value":"abc?"
}' 
HTTP/1.1 500 Internal Server Error
Date: Wed, 19 Sep 2018 21:36:26 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive


{"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc?","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}}


$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ 
  "Value":"abc9"
}' 
HTTP/1.1 200 OK
Date: Wed, 19 Sep 2018 21:36:33 GMT
Content-Length: 21
Connection: keep-alive


{ 
  "Value":"abc9"
}


$ curl -i $apiendpoint/xss-regex-test/t4 -H content-type:application/json -d '{ 
  "Value":"abc%"
}' 
HTTP/1.1 500 Internal Server Error
Date: Wed, 19 Sep 2018 21:36:40 GMT
Content-Type: application/json
Content-Length: 193
Connection: keep-alive


{"fault":{"faultstring":"Regular Expression Threat Detected in Regular-Expression-Protection-4: regex: [^-a-zA-Z0-9] input: abc%","detail":{"errorcode":"steps.regexprotection.ThreatDetected"}}}

I think that's what you're looking for.

You can try out regex in an online tool.

this one works nicely.

If you want to allow unicode alphanumeric, that's different. You will need something like this: 

(?U)[^\p{Alpha}]

But I am not an expert in unicode -savvy regex, so be sure to test thoroughly.

Jump to Solution

Posted on --/--/---- --:-- AM
umannggoel
New Member
In response to dchiesa1
Reply posted on --/--/---- --:-- AM

@Dino-at-Google

Thanks Dino for your quick response.

Jump to Solution
0 Likes