We recently upgraded from version 9.0 to 9.2 of the gateway, just to find that the logic in many of our policies started to fail. Apparently there was a change in the way the Evaluate JSON Path Expression assertion works.
After looking into the release notes I found a known issue in 9.1. The issue (SSG-13320) addresses the possibility to find an empty array.
But what the assertion now appears to do is to make any expression return "found", and the assertion evaluates to true, even when the jsonpath is totally absent.
Is this really the intended behavior of that assertion?
I would have expected a found = false and assertion fail if the json attribute name is not present (like the previous behaviour).
This looks totally broken to me. Anyone else had issues with this?
This means that we need to change a lot of our policy logic around json parsing.