Regex (Regular Expression) Protection policy extracts information from a message (for example, URI Path, Query Param, Header, Form Param, Variable, XML Payload, or JSON Payload) and evaluates the data against predefined regular expressions and rejects the request if the specified patterns are matched since it is considered as a threat.
Configuration
The properties that have to be configured to use the policy are described below.
Figure 1: Regex Protection Policy Configuration attributes
| Property | Description |
| Ignore Unresolved Variables | If any of the variables being used as part of the configuration are not present in the incoming message, this property is used to determine whether the condition needs to be ignored or treated as an error. When enabled, the flow continues as usual. Otherwise, an error is sent back to the client reporting that the property is missing. |
| Check URI Path | Enable if information needs to be retrieved from the request URI path and matched with the regular expressions provided. |
| URI Path Pattern | Provides the regular expressions against which information extracted from the URI path needs to be evaluated. Enable this property to add the pattern using Add button. |
| Is XML Payload | Enable if information needs to be retrieved from an XML payload and matched with the regular expression provided. |
| XML Payload Namespaces | To add XML Namespaces to be used in the XPath evaluation. Enable this property to add the pattern using Add button. |
| XPath Expression | To specify the XPath expression for the variable. |
| XPath Type | The datatype for the Xpath. |
| XPath Pattern | To add regular expression patterns. Click Add button to add patterns. |
| Is JSON Payload | Enable if information needs to be retrieved from a JSON payload and matched with the regular expression provided. |
| JSON Path Expression | To specify the JSON expression for the variable. |
| JSON Path Pattern | To add regular expression patterns. Click Add button to add patterns. |
| Variable | To add additional variables. |
Example
The request URL used in this example is the following:
The request body should be like:
Configure Regex Protection policy for this project as shown below:
Figure 2: Regex Protection policy properties with values provided
The JSON Path Expression $.name points to the name field of the JSON sent in the request body, which is "JOHN". The JSON Path Pattern [A-Z]*$ matches with any string which constitutes of uppercase letters only. Hence, the above JSON input is considered a threat and the request is rejected.
Figure 3: Error message of failed Regex Protection policy