Forum Discussion
AWAF Path Parameters with OPENAPI json file
Hi, Iam securing a API with a JSON OPENAPI file it mostly works fine however I have two positional parameters used in one url that seems to mask the following paths "/dqm/v1/projects/{customerId}/{pageNumber} & /dqm/v1/projects/projectDetails/{workRequestId}" The result is illegal parameter length violations on a url that is actually valid. the two paths have different operationId headers associated with them Does the WAF use the operationId to match the Path? It appears not as if I delete the operation Id from the api file then the policy matches the correct URL.
Any assistance in ubderstanding what is happening and why is appreaciated.
Allowed URL's
extract from JSON openAPI file
/dqm/v1/projects/{customerId}/{pageNumber}:
get:
tags:
- customer-projects-controller
operationId: getCustomerProjectsForIdperPage
parameters:
- name: customerId
in: path
required: true
schema:
type: string
- name: pageNumber
in: path
required: true
schema:
type: string
responses:
'200':
description: OK
content:
'*/*':
schema:
$ref: '#/components/schemas/CustomerProjectsResponse'
/dqm/v1/projects/projectDetails/{workRequestId}:
get:
tags:
- customer-projects-controller
operationId: getProjectDetailswithID
parameters:
- name: workRequestId
in: path
required: true
schema:
type: string
responses:
'200':
description: OK
content:
'*/*':
schema:
$ref: '#/components/schemas/ProjectDetailsResponse'
The resolution to this issue is to use the WildCards Order TAB to set the order the URLS should be processed.
By the way ChrisThuys / Chris_Thuys I seem to found a workaround as for example if you create the policy from the start like the one below it will result in the following order but you need to create asm policy from the start with the correct order as if you modify the openapi/swagger file it may not change the order.
Outside of that I am trying to use positional parameters as to trigger wildcard url match and still figuring out if wildcard parameter names are supported by F5 AWAF/ASM when importing a swagger/openapi file. I do not know if you have tried this as well.
"paths": {"/{path}": {"get": {"description": "Returns a user based on a single ID, if the user does not have access to the pet","operationId": "findPetById","produces": ["application/json","application/xml","text/xml","text/html"],"parameters": [{"name": "path","in": "path","description": "ID of pet to fetch","required": true,"type": "string"}],"responses": {"200": {"description": "pet response","schema": {"$ref": "#/definitions/Pet"}},"default": {"description": "unexpected error","schema": {"$ref": "#/definitions/ErrorModel"}}}}},"/{path1}/{path2}": {"get": {"description": "Returns a user based on a single ID, if the user does not have access to the pet","operationId": "findPetById","produces": ["application/json","application/xml","text/xml","text/html"],"parameters": [{"name": "path1","in": "path","description": "ID of pet to fetch","required": true,"type": "string"},{"name": "path2","in": "path","description": "ID of pet to fetch","required": true,"type": "string"}],"responses": {"200": {"description": "pet response","schema": {"$ref": "#/definitions/Pet"}},"default": {"description": "unexpected error","schema": {"$ref": "#/definitions/ErrorModel"}}}}}},- ChrisThuysAltocumulus
The resolution to this issue is to use the WildCards Order TAB to set the order the URLS should be processed.
Now I see what you mean and I even saw an article when you mentioned that the wildcard url order was the issue.
K13220614: The BIG-IP ASM system may not enforce wildcard URLs that are created without the wildcard order specified
https://support.f5.com/csp/article/K13220614
- Chris_ThuysAltocumulus
Sometimes it's all about the keywords you search on. Mine were all wrong. I was focused on the jSON file rather than the Wildcard URL's.
Good question! Never needed to do positional parameters, so I am also wondering.
Have you tried making manual policy with positional parameters and then to export it in JSON to see how it looks and if you can then use this in the OPENAPI/SWAGGER file as to see if it is supported (as a note your file is YAML not Json but that is just the look) https://support.f5.com/csp/article/K52644614
F5 XC/distributed cloud has SWAGGER/OPENAPI discovery but that can't be done with on-prem appliance 😯
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com