Layer7 API Management

We have implemented 'Code Injection Protection' assertion to avoid any injection requests. The logic is similar to below case.

- 1 At least one assertion must evaluate to true
      - 1.1. All assertions must evaluate to true
            - 1.1.1 Code Injection Protection
      - 1.2 All assertion must evaluate to true
            - 1.2.1 Return Template response to Requestor

Sample Request 1:

{

"brand_name":"ivv2coiA",
"prefix":"Mr",
"first_name":"Jay",
"middle_name":"%3CScript%3E",
"last_name":"Chris"

}

So if someone sends in JSON with above request, Gateway monitors the message and rejected at Code Injection Protection assertion. Then the control would get into '1.2.1 Return Template response to Requestor' where customer error message is provided in response. 

Now another request comes in as shown below: 

{

"brand_name":"%co9012",
"prefix":"Mr",
"first_name":"Jay",
"middle_name":"N",
"last_name":"Chris"

}

In this case, the control is not flowing through  '1.2.1 Return Template response to Requestor'.

Gateway is giving 'Unhandled exception' to the consumer. I can understand that assertion is trying to decode '%co' which is not turning into a valid value. 

How to handle this kind of situations and give a proper error response to API caller?

Regards

Kareem

Hi Kareem,

Are you trying to prevent the %co from causing an exception? If so what exception do you get and do you get a stack trace in the ssg_0_0 log? Or are you getting the assertion falsified message xml and just really looking for a "customize Error Response assertion to format failures in a cleaner method?

Thanks.!!

Hi Charles

I would like to send a customized error message in a cleaner method as defined in 'Return template response'.

The policy is getting falsified with below error and the Global Fragment gets executed where a generic 'Unhandled Exception' response message is defined. 

Policy evaluation for service Create And Update Customer [161b6e5d05ec33ffcf1bee36a7***933] resulted in status -1 (Undefined)

Regards

Kareem 

Are you using the built in code injection protection assertions or did you built your own logic for this?  There are some conditions that assertions are unable to execute and do not simply return false but instead stop policy execution, it sounds like this is what you are expiriencing.

Hi Ben, 

I am using built in code. 

One update I would like to give. 

Before Code Injection assertion we have used URL Decode assertion, (Decode body) to restrict two level of code injection. The request is failing at URL Decode assertion as it tries to decode the values '%c3e' which is not a valid decoded value. 

As you said the assertion is not returning false but instead stopping policy execution. May I know what could be the reasons for this?

Regards

Kareem

Kareem,

status -1 (Undefined) is a unhandled exception in the assertion that generated it and always cause policy to stop. You can not handle these exceptions with normal at least one error handling the policy terminates and either returns standard  fault of triggers customized error response that is defined at the top of the policy.  You will need to open a support ticket to have the cause of the error identified and addressed. 

Hello BARRY STERN,

for those unhandled exception, the Handle Errors folder should work,

Handle Errors Assertion - CA API Gateway - 9.2 - CA Technologies Documentation 

Regards,

Mark