Need to Update Regex Patterns in Threat Protectors #7722
Assignees
Comments
This was referenced Mar 8, 2024
This was referenced Nov 1, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description:
The patterns given in https://apim.docs.wso2.com/en/latest/deploy-and-publish/deploy-on-gateway/api-gateway/threat-protectors/regular-expression-threat-protection-for-api-gateway/#denying-request-patterns are not correct for JavaScript Injection and XPath Injection.
For the XPath Injection
.*'.*|(?\u003C![\w\d])or(?![\w\d])|.*1=1.*|.*ALTER.*|.*ALTER TABLE.*|.*ALTER VIEW.*| .*CREATE DATABASE.*|.*CREATE PROCEDURE.*|.*CREATE SCHEMA.*| .*create table.*|.*CREATE VIEW.*|.*DELETE.*|.*DROP DATABASE.*| .*DROP PROCEDURE.*|.*DROP.*|.*SELECT.*and for the JavaScript Injection\u003Cscript\b[^>]*>[^\/]+\s*\/\s*script\s*>should be used.Please note that the above doc changes need to be done once wso2/api-manager#2549 is fixed to handle the encoded values at the Pattern.compile method in the mediator level.
Also in the table at https://apim.docs.wso2.com/en/latest/deploy-and-publish/deploy-on-gateway/api-gateway/threat-protectors/regular-expression-threat-protection-for-api-gateway/#denying-request-patterns, "JavaScript Exception" should be corrected to "JavaScript Injection"
Affected Product Version:
APIM 4.2.0, APIM 4.1.0
Related Issues:
wso2/api-manager#2549
The text was updated successfully, but these errors were encountered: