Forum Discussion

Juergen_Mang's avatar
Dec 07, 2022

AWAF OpenAPI Import and default defense attribute values for json content profiles

Hi Folks,

I created an ASM Security Policy with the default API-Security template and imported an OpenAPI file. This works perfectly: allowed urls and matching json content profiles are created.

It seems there are some defaults applied to the created json content profiles for the defense attributes.

How can this defaults are changed? I can not manually change each content profile afterwards, because they change frequently.

Thankf for any hint on this!

 

  • Meanwhile I found a solution that works for me: My script, thats creates the declarative waf policy, parses now the OpenAPI file and adds the necessary json content profile declarations to the final policy file. The OpenAPI import through the declaration executes the other steps: creates and adds the json schmema to the already created json content profile.

    I think this is a better solution than making some API requests after policy import to change this values.

  • So.. you have many profiles and you're looking to change the defaults? I'm not clear on the ask here.

  • The profiles are automatically created through the import of the OpenAPI files and the Defense Attributes of this JSON Content Profiles are always set to the values from the screenshot. My question is how I can set this defaults without knowing the name of the JSON Content Profiles beforehand. The names are dynamically created from the OpenAPI definition. I use a declaration to create the Policy.

    I tried to change the Defense Attributes of the default json content profile and I hopped the created json content profiles inherits there defense attribute settings from this profile, but this is not the case. I found also no other place to define this defaults.

  • I opened a case for this and it is a limitation with no workaround. The profiles must be changed after import manually or by script.

    This is absolutely not ideal and limits the usable OpenAPI import scenarios.

    • JRahm's avatar
      JRahm
      Icon for Admin rankAdmin

      Juergen_Mang, can you give me a sanitized version of a sample policy with the openAPI files and point out where the defaults are in them? I'm not super familiar with that, but I might be able to work the script side out for you so they can be run on import manually, or if possible, automatically. Won't know until I have some sample data to work with. Let me know!

  • Thanks JRahm 

    There is nothing special with this OpenAPI file. You can use any example file from the internet.

    1. Import the OpenAPI file
    2. Goto the JSON Content Profiles and open one of them
    3. See that the default defense attributes are set to values as in my screenshot

    Exporting the policy (sorry I could not give you the complete policy, it is far to large to sanitizy all elements) it looks like:

     

    {
       "defenseAttributes" : {
          "maximumArrayLength" : 1000,
          "maximumStructureDepth" : 10,
          "maximumTotalLengthOfJSONData" : 10000,
          "maximumValueLength" : 100,
          "tolerateJSONParsingWarnings" : false
       },
       "description" : "",
       "hasValidationFiles" : true,
       "name" : "json_POST_~v1~path1~res"
    },

     

    Changing this afterwards through API is certainly possible, but it would be better If we can change it inside a declarative WAF policy. I tried it with the modifcation section, but it does not worked. It seems the modifications section does not support the entityTyoe "json-profiles", but I have not found any documentation on this. My next try is to integrate this in my main policy file.

    Anyway, this was my attempt:

     

    {
    	"modifications": [
    		{
    			"action": "add-or-update",
    			"entityType": "json-profiles",
    			"entity": {
    				"name" : "json_POST_~v1~path1~res"
    			},
    			"entityChanges": {
    				"defenseAttributes" : {
    					"maximumArrayLength" : 1000,
    					"maximumStructureDepth" : 10,
    					"maximumTotalLengthOfJSONData" : 1048576,
    					"maximumValueLength" : 262144,
    					"tolerateJSONParsingWarnings" : false
    				}
    			}
    		}
    	]
    }

     

    Can you have look at the "RFE ID 1186661 - defense attributes for JSON profiles in policy created from OpenAPI file should have value "any" by default". I think this not the best solution to solve this issue. An even better solution would be: Add a posibility to let the user change this values and not to hardcode only other values.

    We should push this RFE, how I can do this?

  • Nice! That would make a great codeshare contribution!