Applied Injection Filter is ignored on PATCH and DELETE methods
search cancel

Applied Injection Filter is ignored on PATCH and DELETE methods

book

Article ID: 248500

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We've discovered that an "Injection Filter" applied using the Custom Injection Filter Assertion from "https://github.com/ca-api-gateway-extensions/injection-filter" to either the request or a message variable is ignored if the request verb is either PATCH or DELETE.

This seems to be the case in both 9.x and 10.x versions of the product, in our specific case the applied filter is "%60|%3B|%26|>|%3E|%5C" but a body containing the > character  is

let through if sent via PATCH method, this doesn't happen if a POST verb method is used.

Environment

Release : 10.x 11.x

Component : API GATEWAY

Resolution

The custom assertion injection filter is ignoring the body when the method is patch or delete .

It only filters the body for a GET , PUT or POST.

Historical in most cases the delete will not have a body .

If you need this feature you can use the open source code on github for this assertion and modify it to scan also the body for patch and delete 

https://github.com/ca-api-gateway-extensions/injection-filter

you have to update the InjectionFilterAssertionServiceInvocation.java 

You have to update the following function so it looks like below

    private boolean putAndPost(CustomPolicyContext context) {
        final String GET = "GET";
        final String POST = "POST";
        final String PUT = "PUT";
        final String PATCH = "PATCH";
        final String DELETE = "DELETE";

        final String method = context.expandVariable("${request.http.method}");
        return GET.equals(method) || POST.equals(method) || PUT.equals(method)|| PATCH.equals(method)|| DELETE.equals(method);
    }