RegExThreatProtection
In case that specified regular expressions evaluate to true, the message is considered a threat and rejected.
No regular expression can eliminate all content-based attacks, and multiple mechanisms should be combined to enable defense-in-depth. With this in mind, these are recommended patterns for blacklisting content.
Blacklisted Patterns
Name |
Regular xpression |
---|---|
SQL Injection | [\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(or)) |
Server-Side Include Injection |
<!--\s*<!--(include|exec|echo|config|printenv)\s+.* |
XPath Abbreviated Syntax Injection | (/(@?[\w_?\w:\*]+(\[[^]]+\])*)?)+ |
XPath Expanded Syntax Injection | /?(ancestor(-or-self)?|descendant(-or-self)?|following(-sibling)) |
JavaScript Injection | <\s*script\b[^>]*>[^<]+<\s*/\s*script\s*> |
Java Exception Injection | .*Exception in thread.* |
Examples
Example 1:
In this example, the uriPath, query parameters, headers, and jsonPayload are checked for threats:
<regExThreatProtection xmlns="http://www.infor.com/ion/api"
nxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
name="regExThreatProtection-example"
displayName="regExThreatProtection-example" enabled="true" version="1.0">
<uriPath>
<pattern>\\d{3}[-.]?\\d{3}[-.]?\\d{4}</pattern>
</uriPath>
<jsonPayload>
<jsonPath>
<expression>^.*</expression>
<pattern>.*uglyThreat.*</pattern>
</jsonPath>
</jsonPayload>
<queryParam name="name">
<pattern>[tT]rue</pattern>
<pattern>.*true.*</pattern>
</queryParam>
<header name="greetings">
<pattern>[tT]rue</pattern>
<pattern>.*true.*</pattern>
</header>
<header name="greeting">
<pattern>[tT]rue</pattern>
<pattern>.*true.*</pattern>
</header>
</regExThreatProtection>
Example 2:
In this example, the xmlPayload is checked for threats:
<regExThreatProtection xmlns="http://www.infor.com/ion/api"
nxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
name="regExThreatProtection-example"
displayName="regExThreatProtection-example" enabled="true">
<xmlPayload>
<namespaces>
<namespace prefix="infor">http://www.infor.com</namespace>
<namespace prefix="acme">http://www.acme.com</namespace>
</namespaces>
<xPath>
<expression>//infor:title/text()</expression>
<pattern>.*ThreatTitle.*</pattern>
</xPath>
</xmlPayload>
</regExThreatProtection>
Configuration
Element name | Default | Presence | Type | Multiplicity |
---|---|---|---|---|
uriPath | n/a | Optional | n/a | 0..1 |
uriPath.pattern | n/a | Required | string | 1..* |
jsonPayload | n/a | Optional | n/a | 0..1 |
jsonPayload.jsonPath | n/a | Required | n/a | 1..* |
jsonPayload.jsonPath.expression | n/a | Required | string | 1..1 |
jsonPayload.jsonPath.pattern | n/a | Required | string | 1..* |
xmlPayload | n/a | Optional | n/a | 0..1 |
xmlPayload.namespaces | n/a | Optional | n/a | 0..1 |
xmlPayload.namespaces.namespace | n/a | Optional | string | 0..* |
xmlPayload.xPath | n/a | Required | n/a | 1 |
xmlPayload.xPath.expression | n/a | Required | string | 1 |
xmlPayload.xPath.pattern | n/a | Required | string | 1..* |
queryParam | n/a | Optional | n/a | 0..1 |
queryParam.pattern | n/a | Required | string | 1..* |
header | n/a | Optional | n/a | 0..1 |
header.pattern | n/a | Required | string | 0..1 |
<regExThreatProtection> attributes
<regExThreatProtection name="regExThreatProtection-example" displayName="regExThreatProtection-example" enabled="true" version="1.0">
Field name | Description | Default | Presence |
---|---|---|---|
name | Name of this policy instance. | N/A | Required |
displayName | Optional | ||
enabled | Indicates if a policy is enforced or not. If set to false, a policy is turned off, and not enforced. | true | Optional |
version | Policy version. | N/A | Required |
<uriPath> element
This is an optional element that configures the regular expressions that must be evaluated against the URIPath.
This element is used to match the path of the URI.
The path starts with a forward slash and is the string that comes after the host and port. The path does not include the protocol, host, and port of the URI. For example, the path of the URI is the mywebsite/customers section in the following URI:
https://myserver:8443/mywebsite/customersOnly one uriPath element is allowed. The uriPath can contain multiple patterns.
<uriPath>
<pattern>\\d{3}[-.]?\\d{3}[-.]?\\d{4}</pattern>
</uriPath>
<jsonPayload> element
This is an optional element that configures the string to be extracted from a JSON payload and evaluated against the regular expressions provided.
Only one jsonPayload element is allowed. The jsonPayload can contain multiple jsonPath elements, which in turn can contain multiple patterns.
This rule executes only if the content type header is set to json.
<jsonPayload>
<jsonPath>
<expression>^.*</expression>
<pattern>.*uglyThreat.*</pattern>
</jsonPath>
</jsonPayload>
<queryParam> element
This is an optional element that indicates the regular expressions that must be evaluated against a given query parameter.
Multiple queryParam elements are allowed. The queryParam element can contain multiple patterns.
<queryParam name="name">
<pattern>[tT]rue</pattern>
<pattern>.*true.*</pattern>
</queryParam>
<xmlPayload> element
This is an optional element that configures the string to be extracted from an XML payload and evaluated against the regular expressions provided.
Only one xmlPayload element is allowed. The xmlPayload can contain multiple xPath elements, which in turn can contain multiple patterns.
This rule executes only if the content type header is set to xml.
<xmlPayload>
<namespaces>
<namespace prefix="infor">http://www.infor.com</namespace>
<namespace prefix="acme">http://www.acme.com</namespace>
</namespaces>
<xPath>
<expression>//infor:title/text()</expression>
<pattern>.*ThreatTitle.*</pattern>
</xPath>
</xmlPayload>
<nameSpaces> element
This is an optional element that indicates the allowed name spaces to be used in an xmlPayload element.
<header> element
This is an optional element that indicates the regular expressions that must be evaluated against the a given header.
Multiple header elements are allowed. The header element can contain multiple patterns.
<header name="greeting">
<pattern>[tT]rue</pattern>
<pattern>.*true.*</pattern>
</header>