AssignMessage payload parameters pollution

nmarkevich · September 19, 2022, 12:36pm

Hi there,

I observe some unexpected behaviour in AssignMessage policy.

Consider the following example as per documentation

<AssignMessage name="set-payload-3">
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{variable_name}"}
    </Payload>
  </Set>
</AssignMessage>

Lets imagine that variable_name is extracted from query using ExtractVariables

<QueryParam name="param">
    <Pattern ignoreCase="true">{variable_name}</Pattern>
</QueryParam>

But what if queryparam named param contains quotes? Well, I expect that AssignMessage will do all things (I mean escape all quotes in order to prevent payload pollution, like it encodes queryparameters to avoid HTTP Parameter Pollution). But no, there is no escaping here.

I understand that generation of Payload should be flexible, since Apigee allows to generate not only JSON payload, but XML and plain payload too… But there is no warning in the documentation, that using Apigee in that way opens a door for an adversary to pollute request to the target system. And I think that this can be considered as an issue.

dchiesa1 · September 19, 2022, 9:26pm

Yes. and in a simpler case, this also won’t give you joy:

<AssignMessage name="set-payload-3">
  <AssignVariable>
    <Name>variable-name</Name>
    <Value>little bobby tables"!</Name>
  </AssignVariable>
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{variable-name}"}
    </Payload>
  </Set>
</AssignMessage>

Because there is a quote in the variable value, doing the simple string substitution will result in invalid JSON in the Payload.

When using AssignMessage to set a Payload, it’s the responsibility of the API proxy developer to insure that the payload that gets constructed is valid JSON. If for some reason you suspect that your data is not valid JSON, then you would need to escape it. There is an escapeJSON function available in message templates, for this purpose:

<AssignMessage name="set-payload-3">
  <Set>
    <Payload contentType="application/json">
      {"name":"foo", "type":"{escapeJSON(variable-name)}"}
    </Payload>
  </Set>
</AssignMessage>

nmarkevich · September 19, 2022, 9:43pm

Thank you so much @dchiesa1

Topic		Replies	Views
How do I "easily" insert variables into JSON Payloads? Knowledge Hub apigee	8	39	January 9, 2017
JSON not properly encoded with AssignMessage/ServiceCallout Apigee api-runtime	1	2	September 7, 2016
Any easy way to encode special characters in flow variables to be inserted into XML Payload? Apigee api-runtime	4	14	April 9, 2016

AssignMessage payload parameters pollution

AI Suggested topics