07-Dec-2022 03:31
Hi Folks,
I created an ASM Security Policy with the default API-Security template and imported an OpenAPI file. This works perfectly: allowed urls and matching json content profiles are created.
It seems there are some defaults applied to the created json content profiles for the defense attributes.
How can this defaults are changed? I can not manually change each content profile afterwards, because they change frequently.
Thankf for any hint on this!
08-Dec-2022 17:08
@Juergen_Mang - if nobody has replied to you by tomorrow, I'll ask one of my colleagues to take a look.
09-Dec-2022 08:53
So.. you have many profiles and you're looking to change the defaults? I'm not clear on the ask here.
11-Dec-2022 23:31
The profiles are automatically created through the import of the OpenAPI files and the Defense Attributes of this JSON Content Profiles are always set to the values from the screenshot. My question is how I can set this defaults without knowing the name of the JSON Content Profiles beforehand. The names are dynamically created from the OpenAPI definition. I use a declaration to create the Policy.
I tried to change the Defense Attributes of the default json content profile and I hopped the created json content profiles inherits there defense attribute settings from this profile, but this is not the case. I found also no other place to define this defaults.
12-Dec-2022 03:22 - edited 12-Dec-2022 03:24
I opened a case for this and it is a limitation with no workaround. The profiles must be changed after import manually or by script.
This is absolutely not ideal and limits the usable OpenAPI import scenarios.
15-Dec-2022 17:05
@Juergen_Mang, can you give me a sanitized version of a sample policy with the openAPI files and point out where the defaults are in them? I'm not super familiar with that, but I might be able to work the script side out for you so they can be run on import manually, or if possible, automatically. Won't know until I have some sample data to work with. Let me know!
16-Dec-2022 03:41
Thanks @JRahm
There is nothing special with this OpenAPI file. You can use any example file from the internet.
Exporting the policy (sorry I could not give you the complete policy, it is far to large to sanitizy all elements) it looks like:
{
"defenseAttributes" : {
"maximumArrayLength" : 1000,
"maximumStructureDepth" : 10,
"maximumTotalLengthOfJSONData" : 10000,
"maximumValueLength" : 100,
"tolerateJSONParsingWarnings" : false
},
"description" : "",
"hasValidationFiles" : true,
"name" : "json_POST_~v1~path1~res"
},
Changing this afterwards through API is certainly possible, but it would be better If we can change it inside a declarative WAF policy. I tried it with the modifcation section, but it does not worked. It seems the modifications section does not support the entityTyoe "json-profiles", but I have not found any documentation on this. My next try is to integrate this in my main policy file.
Anyway, this was my attempt:
{
"modifications": [
{
"action": "add-or-update",
"entityType": "json-profiles",
"entity": {
"name" : "json_POST_~v1~path1~res"
},
"entityChanges": {
"defenseAttributes" : {
"maximumArrayLength" : 1000,
"maximumStructureDepth" : 10,
"maximumTotalLengthOfJSONData" : 1048576,
"maximumValueLength" : 262144,
"tolerateJSONParsingWarnings" : false
}
}
}
]
}
Can you have look at the "RFE ID 1186661 - defense attributes for JSON profiles in policy created from OpenAPI file should have value "any" by default". I think this not the best solution to solve this issue. An even better solution would be: Add a posibility to let the user change this values and not to hardcode only other values.
We should push this RFE, how I can do this?
22-Dec-2022 02:58
Meanwhile I found a solution that works for me: My script, thats creates the declarative waf policy, parses now the OpenAPI file and adds the necessary json content profile declarations to the final policy file. The OpenAPI import through the declaration executes the other steps: creates and adds the json schmema to the already created json content profile.
I think this is a better solution than making some API requests after policy import to change this values.
22-Dec-2022 13:31
Nice! That would make a great codeshare contribution!