Forum Discussion

EvTheFuture's avatar
EvTheFuture
Icon for Cirrus rankCirrus
Mar 03, 2023

[Workaround]: Prevent iRule Managers to accidentally enter invalid characters into a Data Group

We realized some time ago that the BIG-IP GUI does not handle UTF-8 encoded strings very well in Data Groups which result in ever growing data records for everytime the Data Group is saved.

This is an example on how to reproduce the problem and to see it in action:

  •  Start by creating an empty new data group named TEST of the type string.
  • Add a line with the key test1 and the value abcåäö123 (copy and paste if you don't have a nordic keyboard)
  • Click finish
  • Check with tmsh list ltm data-group internal TEST
You will see that it doesn't handle the UTF-8 data and you will se two characters for each > 7-bit character.
  • Now go to the GUI again and add a second line with the key test2 and the same value abcåäö123
  • Click update
Once again check tmsh and you will see that not only has test2 been added but test1 has also been updated, now including even more wrong characters.
 
This is a screenshot of how it will look:

The result of this is that eventually you will receive the following error from the BIG-IP (even if you only update lines that are not containing 8-bit ascii characters).

Workaround

Luckily we require the iRule Managers to login to an APM portal (webtop) where we have published a Portal Access to the administrative GUI of the BIG-IP, and since we do that, we can inject some JavaScript the will check the data before it saved.

iRule PREVENT_INVALID_DATA_IN_DATAGROUP-IRULE 

This iRule will inject some JavaScript code that will prevent these mistakes from happening

 

 

 

 

when HTTP_REQUEST {
    set inject_code 0

    if {[HTTP::path] ends_with "/tmui/tmui/skins/Default/scripts/skin.js"} {
        set inject_code 1
                
        STREAM::disable
        HTTP::header remove "Accept-Encoding"
    }
}

when HTTP_RESPONSE {
    if {$inject_code == 1} {
        set s1 "this.form.submitError\ =\ formSubmitError;"
        set r1 "this.form.submitError\ =\ formSubmitError;\n"

        append r1 "if\ (document.location.href.indexOf('datagroup')\ >\ -1)\ {\n"
        append r1 "select\ =\ document.getElementById('class_string_item');\n"
        append r1 "if\ (select\ !=\ null)\ {\n"
        append r1 "console.log('We\ found\ the\ select');\n"
        append r1 "for\ (option\ of\ select.children)\ {\n"
        append r1 "key\ =\ option.value.substr(0,\ option.value.indexOf('\\\\x0a'));\n"
        append r1 "if\ (!\ /^\[\\x00-\\x7F\]*\$/.test(key))\ {\n"
        append r1 "alert('String\ \"'+key+'\"\ contains\ invalid\ characters!');\n"
        append r1 "return\ false;\n"
        append r1 "}\n"
        append r1 "if\ (!\ /^\[\\x00-\\x7F\]*\$/.test(option.value))\ {\n"
        append r1 "alert('Value\ of\ \"'+key+'\"\ contains\ invalid\ characters!');\n"
        append r1 "return\ false;\n"
        append r1 "}\n"
        append r1 "}\n"
        append r1 "}\n"
        append r1 "}\n"

        STREAM::expression "@$s1@$r1@"
        STREAM::enable
    }
}

 

 

 

 

Now if you add a streaming profile to your APM Virtual Server and add this iRule the user will be presented with a popup informing them about the invalid data and also prevent them from submitting it.

Hope this can be of help until F5 fixes this in the BIG-IP

application delivery
data group
devops
irule
security
utf-8