For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Bartek's avatar
Bartek
Icon for Cirrus rankCirrus
Apr 11, 2025

Replace stream if condition is met

Hi - I have an iRule i need to draft, however I can only test it once it drafted, by sending it to my customer for testing... bummer.

So the problem is - I need to inject my .js in the body of the response, but only if the script is not already injected (there is a valid reason for this, I promise). 

My thinking process is based on this:
https://clouddocs.f5.com/api/irules/STREAM_MATCHED.html

The goal is:
1) Check if the body contains /js/app<10digits>.js
2) If it does - do nothing
3) If it does not inject /js/app.js just before closing </body> tag
or:
2) delete the /js/app<10 digits>.js
3) Insert /js/app.js just before closing </body>tag

I'm thinking option 2 might be simpler, please let me know if my thinking is good, and If possible suggest some more elegant solution

when HTTP_REQUEST {
    STREAM::disable
    HTTP::header remove "Accept-Encoding"
}
when HTTP_RESPONSE {
    if { [HTTP::header exists "Content-Type"] && [HTTP::header value "Content-Type"] contains "text/html" } {
        if { [HTTP::header exists "Content-Length"] } {
            HTTP::header remove "Content-Length"
        }
        STREAM::expression {
                =<script type="text/javascript" src="/secfense/js/eru-[0-9]{10}\.js"><\/script><\/body>== 
                @</body>@<script type="text/javascript" src="/secfense/js/eru-1744029915.js"></script></body>@
        } 
        STREAM::enable
 }



I'm not sure whether multi expression STREAM::expression is a thing... Will this work?

irule
stream

3 Replies

  • Bartek's avatar
    Bartek
    Icon for Cirrus rankCirrus
    Apr 12, 2025

    I'm trying to avoid collecting the payload. 

    I actually realized I know exactly how does the payload look like without my insert... So i made a simple stream::expression that adds to the known payload. 

    something like this:

    when HTTP_REQUEST {
    STREAM::disable
    HTTP::header remove "Accept-Encoding"
}
when HTTP_RESPONSE {
    if { [HTTP::header exists "Content-Type"] && [HTTP::header value "Content-Type"] contains "text/html" } {
        if { [HTTP::header exists "Content-Length"] } {
            HTTP::header remove "Content-Length"
        }
        STREAM::expression {@"module"></script></body>@"module"><script type="text/javascript" src="/secfense/js/eru.js"></script></body>@} 
        STREAM::enable
    }

}