URL BasePath validation Best Practices.

Hi,

Scenario: To validate the required incoming url (ie part of incoming url /string information of BasePath information to be "XXX" or "YYY" or "ZZZ"):

We are validating the BasePath of URL as indicated below.

https://myvhost/*/ggg/yyy (Correct path is https://myvhost/XXX/ggg/yyy) * given as example for URL

(validation is for part, which is displayed as * ) like this part need to be certain value like either that * part of BasePath could be “XXX” or “YYY” or “ZZZ”. value comes in incoming BasePath.

Eg:

https://myvhost/*/ggg/yyy

(is the ApigeeSaaS URL to invoke backend from POSTMAN, Its : HTTP GET Request)

In such url for * (BasePath) validation the Java script logic is listed below.

	var basePath = context.getVariable("proxy.url");
	var valid = false;
	var fun = basePath.split("/");
	var urlString= fun[3];
	print("urlString ---"+ urlString);
	if ( urlString == "XXX" || urlString =="YYY" || urlString =="ZZZ") {
	valid = true;
	}
	context.setVariable("ValidateStatus",valid);
	context.setVariable("resourcepath", urlString);

In above scenario (Proxy Endpoint ‘default’ Preflow information) is listed below..

Eg: Flow of Proxy EndPoint proxy (High level Flow information) (In ProxyEndPoint “PreFlow”)

Overall logic of Preflow is

Starts with Secured Shared Flow -- > Api Key Validation --> Invoke OKTA for Token and required logics -- > ValidateEntitlementsInformation (Java Script) etc..

Note: ValidateEntitlementsInformation is the name of the Java script logic, which validates the * information of the URL either to be “XXX” or “YYY” or “ZZZ”. As below

<ProxyEndpoint name="default">
  <PreFlow name="PreFlow">
    <Request>
      <Step>
        <Name>Security-Shared Flow</Name>
      </Step>
      <Step>
        <Name>Verify-APIKey-OKTA</Name>
      </Step>
      <Step>
        <Name>Verify-OKTA-JWT</Name>
      </Step>
      <Step>
        <Name>JavaScript-ValidateEntitlementsInformation</Name>
      </Step>
      <Step>
        <Name>Raise-Fault</Name>
        <Condition>(ValidateStatus == false)</Condition>
      </Step>
      <Step>
        <Name>ExtractRoleInfo</Name>
        <Condition>(scopes==null or scopes=="")</Condition>
        <Name>Raise-Fault-1</Name>
        <PostFlow name="PostFlow">
        </PostFlow>
        <Flows>
          <Flow name="GetUserProfile">
            <Description>Gets User Profile Information</Description>
            <Condition>(proxy.pathsuffix MatchesPath "/") and (request.verb = "GET")</Condition>
          </Flows>
          <HTTPProxyConnection>
            <BasePath>/*/v1/api</BasePath>
            <Properties/>
            <VirtualHost>secure</VirtualHost>
          </HTTPProxyConnection>
          <RouteRule name="default">
            <TargetEndpoint>default</TargetEndpoint>
          </RouteRule>
        </ProxyEndpoint>


In order to avoid the writing * to <BasePath> tag as indicated above, do we have any logic or any patterns to avoid * . in the <BasePath>, under <HTTPProxyConnection>?

We want to avoid * in <BasePath> which could be security issue, hence what will the valid <BasePath> URL information without using * . ie indicated scenario requires validation of * to be "XXX" or "YYY" or "ZZZ" which I am taking care in JavaScript which works fine.

Require your suggestions in case handled any such cases.

Let me know if you require any additional information.

0 3 1,315
3 REPLIES 3

Just simplifying if incoming URL from client is

If incoming HTTP GET from postman is expected to be either XXX or YYY or ZZZ in base path url like

https://<apigeSaaSurl>/XXX/v1/api

https://<apigeSaaSurl>/YYY/v1/api

https://<apigeSaaSurl>/ZZZ/v1/api

Then the

<ProxyEndpoint name="default">

<PreFlow name="PreFlow">

<BasePath> can be deigned in below format, but * in BasePath seems to be security issue. Please suggest.

<HTTPProxyConnection>

<BasePath>/*/v1/api</BasePath>

<Properties/>

<VirtualHost>secure</VirtualHost>

</HTTPProxyConnection>

I am validating for Basepath to be XXX or YYY or ZZZ in java script but I am not sure if the BasePath url design representation in current situation

Please suggest

I think it would be simpler for you to configure your proxy flows

One proxy flow with a condition for your valid paths

<Condition>(proxy.pathsuffix MatchesPath "/xxx") or (proxy.pathsuffix MatchesPath "/yyy")</Condition>

Another default proxy flow for your non-matching case, this can include a raisefault policy for example

You may need to vary your conditions here to match your needs

sidd-harth
Participant V

Apigee does NOT support using a wildcard "*" as the first element of a base path. For example, this is NOT supported: /*/search. Starting the base path with a "*" can lead to unexpected errors because of the way Edge identifies valid paths.

I think you need to use a generic value as your basePath like /employees if it is an Employees Data API.

Then use multiple ConditionalFLows in the ProxyEndpoint. Also, add an invalid-path flow which would raise an error if it did not match any earlier pathsuffix.

https://docs.apigee.com/api-platform/fundamentals/flow-configurations

8691-flows.jpg