Forum Discussion
Thanks JRahm
There is nothing special with this OpenAPI file. You can use any example file from the internet.
- Import the OpenAPI file
- Goto the JSON Content Profiles and open one of them
- See that the default defense attributes are set to values as in my screenshot
Exporting the policy (sorry I could not give you the complete policy, it is far to large to sanitizy all elements) it looks like:
{
"defenseAttributes" : {
"maximumArrayLength" : 1000,
"maximumStructureDepth" : 10,
"maximumTotalLengthOfJSONData" : 10000,
"maximumValueLength" : 100,
"tolerateJSONParsingWarnings" : false
},
"description" : "",
"hasValidationFiles" : true,
"name" : "json_POST_~v1~path1~res"
},
Changing this afterwards through API is certainly possible, but it would be better If we can change it inside a declarative WAF policy. I tried it with the modifcation section, but it does not worked. It seems the modifications section does not support the entityTyoe "json-profiles", but I have not found any documentation on this. My next try is to integrate this in my main policy file.
Anyway, this was my attempt:
{
"modifications": [
{
"action": "add-or-update",
"entityType": "json-profiles",
"entity": {
"name" : "json_POST_~v1~path1~res"
},
"entityChanges": {
"defenseAttributes" : {
"maximumArrayLength" : 1000,
"maximumStructureDepth" : 10,
"maximumTotalLengthOfJSONData" : 1048576,
"maximumValueLength" : 262144,
"tolerateJSONParsingWarnings" : false
}
}
}
]
}
Can you have look at the "RFE ID 1186661 - defense attributes for JSON profiles in policy created from OpenAPI file should have value "any" by default". I think this not the best solution to solve this issue. An even better solution would be: Add a posibility to let the user change this values and not to hardcode only other values.
We should push this RFE, how I can do this?