nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

Can't whitelist json child fields #469

Closed oswaldquek closed 11 months ago

oswaldquek commented 5 years ago

I need to write a rule that will whitelist anything under a json node. So for example I want to send the following in an HTTP request body and whitelist a rule for metadata that will apply to any child node:

{
  "metadata": {
    "foo": "I'm hungry",
    "foo2": "I'm hungry"
  }
}

where anything under metadata (so foo and foo2) are user defined. Is it possible to do this? I can't find anything in the documentation.

My current rule is BasicRule wl:1013 "mz:$URL_X:^/v1/payments/?$|$BODY_VAR_X:metadata" which doesn't work.

buixor commented 5 years ago

Hello,

Unfortunately, I don't think the json parser supports this yet, but I need to look into it, as I have already issue #457 that is somehow related.