JSONThreatProtection 政策

本页面适用于 ApigeeApigee Hybrid

查看 Apigee Edge 文档。

政策图标

内容

通过指定各种 JSON 结构(例如数组和字符串)的限制,最大限度地减少内容级别攻击带来的风险。

此政策是一项可扩展政策,使用此政策可能会影响费用或使用情况,具体取决于您的 Apigee 许可。如需了解政策类型和使用情况影响,请参阅政策类型

视频:观看一个简短视频,详细了解 JSONThreatProtection 政策如何保护 API 免受内容级别攻击。

视频:在 Apigee 跨云 API 平台上观看此短视频。

元素参考

元素参考介绍 JSONThreatProtection 政策的元素和特性。

<JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">
   <DisplayName>JSONThreatProtection 1</DisplayName>
   <ArrayElementCount>20</ArrayElementCount>
   <ContainerDepth>10</ContainerDepth>
   <ObjectEntryCount>15</ObjectEntryCount>
   <ObjectEntryNameLength>50</ObjectEntryNameLength>
   <Source>request</Source>
   <StringValueLength>500</StringValueLength>
</JSONThreatProtection>

<JSONThreatProtection> 特性

<JSONThreatProtection async="false" continueOnError="false" enabled="true" name="JSON-Threat-Protection-1">

The following table describes attributes that are common to all policy parent elements:

Attribute Description Default Presence
name

The internal name of the policy. The value of the name attribute can contain letters, numbers, spaces, hyphens, underscores, and periods. This value cannot exceed 255 characters.

Optionally, use the <DisplayName> element to label the policy in the management UI proxy editor with a different, natural-language name.

 N/A Required
continueOnError

Set to false to return an error when a policy fails. This is expected behavior for most policies.

Set to true to have flow execution continue even after a policy fails. See also:

 false Optional
enabled

Set to true to enforce the policy.

Set to false to turn off the policy. The policy will not be enforced even if it remains attached to a flow.

 true Optional
async

This attribute is deprecated.

 false Deprecated

<DisplayName> element

Use in addition to the name attribute to label the policy in the management UI proxy editor with a different, natural-language name.

<DisplayName>Policy Display Name</DisplayName>
Default

N/A

If you omit this element, the value of the policy's name attribute is used.
Presence Optional
Type String

<ArrayElementCount> 元素

指定数组中允许的最大元素数量。

<ArrayElementCount>20</ArrayElementCount>
默认: 如果您未指定此元素,或者指定负整数,系统不会强制执行限制。
状态: 可选
类型: 整数

<ContainerDepth> 元素

指定允许的最大包含深度,其中容器为对象或数组。例如,如果一个数组包含的一个对象还包含一个对象,则将导致包含深度为 3。

<ContainerDepth>10</ContainerDepth>
默认: 如果您未指定此元素,或者指定负整数,系统不会强制执行任何限制。
状态: 可选
类型: 整数

<ObjectEntryCount> 元素

指定对象中允许的最大条目数。

<ObjectEntryCount>15</ObjectEntryCount>
默认: 如果您未指定此元素,或者指定负整数,系统不会强制执行任何限制。
状态: 可选
类型: 整数

<ObjectEntryNameLength> 元素

指定对象中的属性名称允许的最大字符串长度。

<ObjectEntryNameLength>50</ObjectEntryNameLength>
默认: 如果您未指定此元素,或者指定负整数,系统不会强制执行限制。
状态: 可选
类型: 整数

<Source> 元素

要针对 JSON 载荷攻击筛查的消息。这最常设置为 request,因为您通常需要验证来自客户端应用的入站请求。设置为 message 时,此元素将在附加到请求流时自动评估请求消息,并在附加到响应流时自动评估响应消息。

<Source>request</Source>
默认: 请求
状态: 可选
类型:

String。

有效值:request、response 或 message。

<StringValueLength> 元素

指定字符串值允许的最大长度。

<StringValueLength>500</StringValueLength>
默认: 如果您未指定此元素,或者指定负整数,系统不会强制执行限制。
状态: 可选
类型: 整数

错误参考信息

This section describes the fault codes and error messages that are returned and fault variables that are set by Apigee when this policy triggers an error. This information is important to know if you are developing fault rules to handle faults. To learn more, see What you need to know about policy errors and Handling faults.

Runtime errors

These errors can occur when the policy executes.

Fault code HTTP status Cause Fix
steps.jsonthreatprotection.ExecutionFailed 500 The JSONThreatProtection policy can throw many different types of ExecutionFailed errors. Most of these errors occur when a specific threshold set in the policy is exceeded. These types of errors include: object entry name length, object entry count, array element count, container depth, string string value length. This error also occurs when the payload contains an invalid JSON object.
steps.jsonthreatprotection.SourceUnavailable 500 This error occurs if the message variable specified in the <Source> element is either:
  • Out of scope (not available in the specific flow where the policy is being executed)
  • Is not one of the valid values request, response, or message
steps.jsonthreatprotection.NonMessageVariable 500 This error occurs if the <Source> element is set to a variable which is not of type message.

Deployment errors

None.

Fault variables

These variables are set when this policy triggers an error. For more information, see What you need to know about policy errors.

Variables Where Example
fault.name="fault_name" fault_name is the name of the fault, as listed in the Runtime errors table above. The fault name is the last part of the fault code. fault.name Matches "SourceUnavailable"
jsonattack.policy_name.failed policy_name is the user-specified name of the policy that threw the fault. jsonattack.JTP-SecureRequest.failed = true

Example error response

{
  "fault": {
    "faultstring": "JSONThreatProtection[JPT-SecureRequest]: Execution failed. reason: JSONThreatProtection[JTP-SecureRequest]: Exceeded object entry name length at line 2",
    "detail": {
      "errorcode": "steps.jsonthreatprotection.ExecutionFailed"
    }
  }
}

Example fault rule

<FaultRule name="JSONThreatProtection Policy Faults">
    <Step>
        <Name>AM-CustomErrorResponse</Name>
        <Condition>(fault.name Matches "ExecutionFailed") </Condition>
    </Step>
    <Condition>(jsonattack.JPT-SecureRequest.failed = true) </Condition>
</FaultRule>

架构

使用说明

与基于 XML 的服务一样,支持 JavaScript 对象表示法 (JSON) 的 API 很容易受到内容级别攻击。简单 JSON 攻击试图使用压垮 JSON 解析器的结构来使服务崩溃并引发应用级别拒绝服务攻击。所有设置都是可选的,并且应进行调整以优化服务要求,以防范潜在的漏洞。

相关主题

JSONtoXML 政策

XMLThreatProtection 政策

RegularExpressionProtection 政策