Forum Discussion
CA_Valli
MVP
abhinay I've achieved something, this seems to work but might be heavy on performance.
proc key2value {list key} {
set element [split $list ,]
set kv_pair0 [split [lindex $element 0] :]
if {$key equals [string trim [lindex $kv_pair0 1] "\"{ }" ] }{
set kv_pair1 [split [lindex $element 1] :]
return [string trim [lindex $kv_pair1 1] "\"{ }" ]
}
}
when HTTP_REQUEST {
# if you need fInArgs code to match on GET's too, you can paste lines #4-10 (excluding "else \{" syntax on line #10) of my other script here, they shoudn't conflict
# setting HTTP::collect triggers -- notice that POST method is mantadory now
if { [HTTP::method] eq "POST" && ([HTTP::uri] contains "/cs" || [HTTP::uri] contains "llisapi.dll") }{
if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{
set content_length [HTTP::header "Content-Length"]
} else { set content_length 1048576 }
if { $content_length > 0} { HTTP::collect $content_length }
}
}
when HTTP_REQUEST_DATA {
set cleanpl [URI::decode [HTTP::payload]]
# json format in payload is already formatted as a list - lindex is used to parse every element
for {set i 0} {$i < [llength $cleanpl]} {incr i}{
if { [findstr [lindex $cleanpl $i] func] ne "" }{ set func [call key2value [lindex $cleanpl $i] "func"] ; log local0. "func value is $func" }
if { [findstr [lindex $cleanpl $i] _REQUEST] ne "" }{ set req [call key2value [lindex $cleanpl $i] "_REQUEST"] ; log local0. "_REQUEST value is $req" }
}
if { $func contains "qds." && $req contains "SYNDICATION_REQUEST" }{
log local0. "violation detected, restricting access"
HTTP::respond 403 content "Forbidden"
}
# if you also need fInArgs code, you can paste lines #24-28 of my other script here as they shoudn't conflict
}
I was only able to test it with this command
curl -v http://10.163.191.11/cs -X POST --header "Content-Type: application/json" -d $'{ "key" : "func",\n"value" : "qds.ObjAction"}\n{ "key" : "_REQUEST",\n"value" : "SYNDICATION_REQUEST"}'
Parameters are recognized and request is blocked
Dec 28 14:16:40 bigip info tmm3[11336]: Rule /Common/iRule_DC <HTTP_REQUEST_DATA>: func value is qds.ObjAction
Dec 28 14:16:40 bigip info tmm3[11336]: Rule /Common/iRule_DC <HTTP_REQUEST_DATA>: _REQUEST value is SYNDICATION_REQUEST
Dec 28 14:16:40 bigip info tmm3[11336]: Rule /Common/iRule_DC <HTTP_REQUEST_DATA>: violation detected, restricting access
I feel like code can be improved a lot, but might be a starting point.
abhinay
Dec 29, 2022Nimbostratus
CA_Valli, Thanks for your efforts. I was able to achieve this with single if statement and combine both the requirements.
However I want to know if anyone pads with larger payload over 1MB, in that case the iRule will get bypassed right as we are collecting data only upto 1MB. Also we dont want to collect huge data on each POST request. Any idea how we can mitigate this?