Layer7 API Management

  • Private Community

  • 1.  Shell Injection - pick which meta characters to block?

    Posted Sep 18, 2018 09:14 AM

    'Protect Against Code Injection, Shell Injection' in the api gateway blocks messages containing `| & > \ etc. Can I pick and choose which meta characters to block?



  • 2.  Re: Shell Injection - pick which meta characters to block?
    Best Answer

    Posted Sep 19, 2018 12:00 AM

    yes you are right shell injection flags those characters.

    Protect Against Code Injection & sql attacks assertions are a set of regular expressions run against the message body, URL, and attachments and it looks like its not possible to customize the regex matches for the protection assertions.

     you can use reg-ex assertion and write  your own pattern according to the requirement and use this regex assertion rather than the std sql attack assertion. 



  • 3.  Re: Shell Injection - pick which meta characters to block?

    Posted Sep 19, 2018 08:28 AM

    Thanks for the reply. I'll give it a try.



  • 4.  Re: Shell Injection - pick which meta characters to block?

    Posted Sep 19, 2018 08:28 AM

    Thanks for the reply. I'll give it a try.



  • 5.  Re: Shell Injection - pick which meta characters to block?

    Broadcom Employee
    Posted Sep 19, 2018 12:10 AM

    You may also want to vote for this idea, to allow easy encode/escape of special characters - so they can be safe to use rather than just blocking them : 

     

    Enhance Encode/Decode Data Assertion to add html encode/decode 

     

    It is geared towards XML/ HTML special characters - There is also code for a custom assertion to do this from Guy posted there.

     

    A similar process could be applied for SQL special characters, where processes a string finds any special characters and escapes them. 

     

     

    Cheers - Mark