AWAF OpenAPI Import and default defense attribute values for json content profiles

Meanwhile I found a solution that works for me: My script, thats creates the declarative waf policy, parses now the OpenAPI file and adds the necessary json content profile declarations to the final policy file. The OpenAPI import through the declaration executes the other steps: creates and adds the json schmema to the already created json content profile.

I think this is a better solution than making some API requests after policy import to change this values.

 Juergen_Mang - if nobody has replied to you by tomorrow, I'll ask one of my colleagues to take a look. 

So.. you have many profiles and you're looking to change the defaults? I'm not clear on the ask here.

The profiles are automatically created through the import of the OpenAPI files and the Defense Attributes of this JSON Content Profiles are always set to the values from the screenshot. My question is how I can set this defaults without knowing the name of the JSON Content Profiles beforehand. The names are dynamically created from the OpenAPI definition. I use a declaration to create the Policy.

I tried to change the Defense Attributes of the default json content profile and I hopped the created json content profiles inherits there defense attribute settings from this profile, but this is not the case. I found also no other place to define this defaults.

I opened a case for this and it is a limitation with no workaround. The profiles must be changed after import manually or by script.

This is absolutely not ideal and limits the usable OpenAPI import scenarios.

Thanks JRahm 

There is nothing special with this OpenAPI file. You can use any example file from the internet.

1. Import the OpenAPI file
2. Goto the JSON Content Profiles and open one of them
3. See that the default defense attributes are set to values as in my screenshot

Exporting the policy (sorry I could not give you the complete policy, it is far to large to sanitizy all elements) it looks like:

{
   "defenseAttributes" : {
      "maximumArrayLength" : 1000,
      "maximumStructureDepth" : 10,
      "maximumTotalLengthOfJSONData" : 10000,
      "maximumValueLength" : 100,
      "tolerateJSONParsingWarnings" : false
   },
   "description" : "",
   "hasValidationFiles" : true,
   "name" : "json_POST_~v1~path1~res"
},

Changing this afterwards through API is certainly possible, but it would be better If we can change it inside a declarative WAF policy. I tried it with the modifcation section, but it does not worked. It seems the modifications section does not support the entityTyoe "json-profiles", but I have not found any documentation on this. My next try is to integrate this in my main policy file.

Anyway, this was my attempt:

{
	"modifications": [
		{
			"action": "add-or-update",
			"entityType": "json-profiles",
			"entity": {
				"name" : "json_POST_~v1~path1~res"
			},
			"entityChanges": {
				"defenseAttributes" : {
					"maximumArrayLength" : 1000,
					"maximumStructureDepth" : 10,
					"maximumTotalLengthOfJSONData" : 1048576,
					"maximumValueLength" : 262144,
					"tolerateJSONParsingWarnings" : false
				}
			}
		}
	]
}

Can you have look at the "RFE ID 1186661 - defense attributes for JSON profiles in policy created from OpenAPI file should have value "any" by default". I think this not the best solution to solve this issue. An even better solution would be: Add a posibility to let the user change this values and not to hardcode only other values.

We should push this RFE, how I can do this?

Nice! That would make a great codeshare contribution!