F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Pierre_A__3689's avatar
Pierre_A__3689
Icon for Nimbostratus rankNimbostratus
Nov 23, 2011

Path traversal iRules

Hi all,     trying to implement iRules to deny path traversal, i have found 3 so far on but none seems to stop it. Here's the latest one,   when RULE_INIT {   set ::vDebug 1   ...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Nov 23, 2011
Hi Pierre,

f there isn't a ? in the URI to delimit the path from the query string, then you should use HTTP::path or HTTP::uri--not HTTP::query.

Trying to do full URI validation in an iRule is going to be a losing battle in my mind as there are a lot of different encoding methods and path traversal methods. If you want full validation including URL normalization I suggest considering a web app firewall and/or adding more validation to the application.

As a limited measure you could start with something like this: 

when HTTP_REQUEST {

 Fully decode the URI from:
 http://devcentral.f5.com/wiki/iRules.FullyDecodeURI.ashx
set tmpUri [HTTP::uri]
set uri [URI::decode $tmpUri]

 repeat decoding until the decoded version equals the previous value.
while { $uri ne $tmpUri } {
set tmpUri $uri
set uri [URI::decode $tmpUri]
}
 Check if the decoded URI has two consecutive dots
if {[string match {*..*} $uri]}{
reject
}
}

Aaron