regularexpression from xmlpayload

Google Cloud Apigee
1

I have create a proxy with no endpoint .Attached regular expression protection policy(Regular Expression Protection-XML) to request flow.I am trying to extract a variable from xml payload using XPATH and evaluates based on expression .If expression matches it has to throw exception by using Raise fault policy ,but here it is not happening.

<RegularExpressionProtection name="Regular-Expression-Protection-XML">
  <DisplayName>Regular Expression Protection-XML</DisplayName>
  <Properties/>
  <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
  <Source>request</Source>
  <XMLPayload>
    <Namespaces/>
    <XPath>
      <Pattern ignoreCase="false">[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
      <Expression>//VehicleDetails/VIN</Expression>
      <Type>string</Type>
    </XPath>
  </XMLPayload>
</RegularExpressionProtection>

If pattern matches it has to raise exception. This is the RaiseFault:

<RaiseFault name="RegExpressionErrorXML">
  <DisplayName>RegExpressionErrorXML</DisplayName>
  <Properties/>
  <FaultResponse>
    <Set>
      <Payload contentType="application/json">{
      "error" : {
        "code" : 500,
        "message" : "that was a bad request; try different one."
      }
}
</Payload>
      <StatusCode>500</StatusCode>
      <ReasonPhrase>Server Error</ReasonPhrase>
    </Set>
  </FaultResponse>
  <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
</RaiseFault>

proxy.xml:

<ProxyEndpoint name="default">
  <Description/>
  <FaultRules>
    <FaultRule name="regex-threat">
      <Step><Name>RegExpressionErrorXML</Name></Step>
      <Condition>(fault.name = "ThreatDetected")</Condition>
    </FaultRule>
  </FaultRules>
  <PreFlow name="PreFlow">
    <Request>
      <Step>
        <Name>RE-Regular-Expression-Protection-XML</Name>
      </Step>
    </Request>
    <Response/>
  </PreFlow>
  ...

Request:I have sent below request as ā€˜POSTā€™ method

<VehicleDetails>
  <VIN>/delete</VIN>
  <Model>Auston Martin</Model>
  <heading>Reminder</heading>
</VehicleDetails>

please suggest me ,if anything wrong with code

1 Like
2

It works for me? If I pass the request this way:

curl -i [https://cap500-test.apigee.net/veeraraghavendra-1/t1](https://cap500-test.apigee.net/veeraraghavendra-1/t1) \
  -H content-type:application/xml \
  -d '<VehicleDetails>
   <VIN>/delete</VIN>
   <Model>Auston Martin</Model>
   <heading>Reminder</heading>
</VehicleDetails>'

..then I get a rejection, like this:

HTTP/1.1 400 Bad Request
Date: Wed, 01 Mar 2017 19:26:53 GMT
Content-Type: application/json
Content-Length: 117
Connection: keep-alive
Server: Apigee Router

{
      "error" : {
        "code" : 400,
        "message" : "that was a bad request; try different one."
      }
}

I just took the code and policies you had there, and ran it in a proxy I created, then imported and deployed in my organization. It worked as you desired. If I pass an XML payload that does not include /delete for the VIN, then it does not get rejected. This request:

curl -i [https://cap500-test.apigee.net/veeraraghavendra-1/t1](https://cap500-test.apigee.net/veeraraghavendra-1/t1) \
  -H content-type:application/xml \
  -d '<VehicleDetails>
   <VIN>ok-vin-123</VIN>
   <Model>Auston Martin</Model>
   <heading>Reminder</heading>
</VehicleDetails>'

ā€¦returns just fine.

Attached please find the proxy bundle.

Maybe the reason you are seeing different results is the content-type header you are using on the request? The XPath will fail to extract if you pass a non-XML content-type (not application/xml and not text/xml). That would cause the RegularExpression policy to also fail. But to be precise, ā€œfailā€ is not the correct wordā€¦ Actually it would do nothing. But it would be working as designed, though not working as you desire or expect.

apiproxy-veeraraghavendra-1-20170301-112323.zip