Protect Against JSON Document Structure Assertion

The Protect Against JSON Document Structure Threats assertion validates and enforces constraints on the structure of JSON documents. When the structure of an incoming JSON document exceeds a specified constraint, the rejects the JSON document and blocks further processing of the policy.
gateway90
The 
Protect Against JSON Document Structure Threats 
assertion validates and enforces constraints on the structure of JSON documents. When the structure of an incoming JSON document exceeds a specified constraint, the 
API Gateway
rejects the JSON document and blocks further processing of the policy.
The following example JSON documents are referenced in the property descriptions below:
  •  
    Example 1:
     Single typed value document:
    "one simple value"
  •  
    Example 2:
     Typical document:
    { "msg":"Hello", "color":[0,0,255], "options":{ "underline":false, "bold":true } }
To learn about selecting the target message for this assertion, see Select a Target Message.
(1) This assertion should be placed before any other JSON-related assertions (Apply JSON Transformation, Evaluate JSON Path, Validate JSON Schema) in order to protect them against DOS attacks. (2) This assertion will always evaluate the document for valid JSON structure, even if no limits are enabled.
Using the Assertion
  1. Do one of the following:
    • To add the assertion to the Policy Development window, see Add an Assertion.
    • To change the configuration of an existing assertion, proceed to step 2 below.
  2. When adding the assertion, the 
    JSON Document Structure Threat Protection Properties
     automatically appear; when modifying the assertion, right-click 
     
    <target>:
     Protect against JSON Document Structure Threats
     in the policy window and select 
    JSON Document Structure Threat Protection Properties
     or double-click the assertion in the policy window. The assertion properties are displayed. 
  3. Configure the properties as follows:
    Setting
    Description
     
    Container Depth
     
    This is the most nested containers within a JSON document. Example 1 above contains a string, which is the only type of document with a container depth of 0. Every open object or array increases the container depth by one. In Example 2, the “msg” entry has a container depth of 1, and the values in the “color” array have a depth of 2.
    Select this check box to reject any JSON document with a container depth that exceeds the value entered here. The container depth can be from 0 to 30. Default: 
    4
     
    A value of '0' is valid only for a single typed value document.
     
    Object Entry Count
     
    This is the maximum number of entries (comma delimited string:value pairs) in a single object. Example 1 has a maximum object entry count of 0 (as it is a single typed value, it does not contain an object). Example 2 has a maximum entry count of 3 (the top level entries: "msg", "color", "options").
    Select this check box to reject any JSON document with an object entry count that exceeds the value entered here.
     
    Array Entry  Count
     
    This is the maximum number of entries (comma delimited values) in an array. The array in Example 2 has an entry count of 3. As with the object entry count, the count is done for each array, not all arrays in the document.
    Select this check box to reject any JSON document with an array entry count that exceeds the value entered here.
     
    Entry Name Length
     
    This is the maximum number of characters in the name of an entry. A setting of 7 would be violated by the string “underline” (which contains 9 characters), but not by “msg”, “bold”, “color”, or “options”.
    Select this check box to reject any JSON document with a name length that exceeds the value entered here.
     
    String Value Length
     
    This is the maximum number of characters in a string value. In Example, 2, the longest string value is 5 (“Hello”).
    Select this check box to reject any JSON document with a string value that exceeds the value entered here.
  4. Click [
    OK
    ]
     
    when done.