Hi All,

We are trying to protect our JSON request from SQL injection attacks by using Gateway script code. I am trying to match the patterns from the file which is stored in the store:///SQL-Injection-Patterns.xml of Data Power. But the issue is I am unable to match the patterns which are taken from the store file with the request. I used the following function in my Gateway script. 
"if (input.includes(pattern))" In this condition I am unable to execute "includes" function. So please anyone can help in achieving this and guide me in doing SQL Injection protection of JSON request using Gateway script.

Here(in "IF Condition"),
 input - refers to Incoming JSON Request

pattern - regex from the store file (Ex: "('[\s]*;|'[\s]*[\)]+|'[\s]*[\+]+|'[\s]*[\*]+|'[\s]*[\=]+)")

Hi Vyasavardhan,

Assuming input is a string, input.includes doesn't take a regex as an argument.

Try

var match = input.match(regexPattern);

If it finds a match you'll have an array of the matched string in the first array element, and any capture group in the regex will be shown in the subsequent array elements.   If no match a null is returned.

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Fri February 17, 2023 01:58 AM
From: Vyasavardhan Ramagiri
Subject: JSON SQL injection attack prevention using gatewayscript

Hi All,

We are trying to protect our JSON request from SQL injection attacks by using Gateway script code. I am trying to match the patterns from the file which is stored in the store:///SQL-Injection-Patterns.xml of Data Power. But the issue is I am unable to match the patterns which are taken from the store file with the request. I used the following function in my Gateway script. 
"if (input.includes(pattern))" In this condition I am unable to execute "includes" function. So please anyone can help in achieving this and guide me in doing SQL Injection protection of JSON request using Gateway script.

Here(in "IF Condition"),
 input - refers to Incoming JSON Request

pattern - regex from the store file (Ex: "('[\s]*;|'[\s]*[\)]+|'[\s]*[\+]+|'[\s]*[\*]+|'[\s]*[\=]+)")

------------------------------
Stefen Salvatore
------------------------------

Hi Vyasavardhan,

Assuming input is a string, input.includes doesn't take a regex as an argument.

Try

var match = input.match(regexPattern);

If it finds a match you'll have an array of the matched string in the first array element, and any capture group in the regex will be shown in the subsequent array elements.   If no match a null is returned.

Best Regards,
Steve Linn

Hi All,

We are trying to protect our JSON request from SQL injection attacks by using Gateway script code. I am trying to match the patterns from the file which is stored in the store:///SQL-Injection-Patterns.xml of Data Power. But the issue is I am unable to match the patterns which are taken from the store file with the request. I used the following function in my Gateway script. 
"if (input.includes(pattern))" In this condition I am unable to execute "includes" function. So please anyone can help in achieving this and guide me in doing SQL Injection protection of JSON request using Gateway script.

Here(in "IF Condition"),
 input - refers to Incoming JSON Request

pattern - regex from the store file (Ex: "('[\s]*;|'[\s]*[\)]+|'[\s]*[\+]+|'[\s]*[\*]+|'[\s]*[\=]+)")

Hi Vyasavardhan,

For your error:

Cannot read property 'match' of undefined at Object.<anonymous> (local:///SQL-json.js:48:16)'

The match function is part of a string object, but the variable you're doing the match is undefined per the error message, ie,

var input = context.get('request.body');var match = input.match(regexp);  // if input is undefined this will generate the same error.

I'm not sure how you are populating your input variable.  Checking for a valid input prior to doing the match is one way to avoid this error, for example, if you had an HTTP GET operation you may not have an input

var input = context.get('request.body');if (input) {  var match = input.match(regexp);  // if input has been checked to be defined so this will not create this error}

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Mon February 20, 2023 06:55 AM
From: Vyasavardhan Ramagiri
Subject: JSON SQL injection attack prevention using gatewayscript

------------------------------
Vyasavardhan Ramagiri

Original Message:
Sent: Fri February 17, 2023 03:41 PM
From: Steve Linn
Subject: JSON SQL injection attack prevention using gatewayscript

Hi Vyasavardhan,

Assuming input is a string, input.includes doesn't take a regex as an argument.

Try

var match = input.match(regexPattern);

If it finds a match you'll have an array of the matched string in the first array element, and any capture group in the regex will be shown in the subsequent array elements.   If no match a null is returned.

Best Regards,
Steve Linn

------------------------------
Steve Linn
Senior Consulting I/T Specialist
IBM

Original Message:
Sent: Fri February 17, 2023 01:58 AM
From: Vyasavardhan Ramagiri
Subject: JSON SQL injection attack prevention using gatewayscript

Hi All,

We are trying to protect our JSON request from SQL injection attacks by using Gateway script code. I am trying to match the patterns from the file which is stored in the store:///SQL-Injection-Patterns.xml of Data Power. But the issue is I am unable to match the patterns which are taken from the store file with the request. I used the following function in my Gateway script. 
"if (input.includes(pattern))" In this condition I am unable to execute "includes" function. So please anyone can help in achieving this and guide me in doing SQL Injection protection of JSON request using Gateway script.

Here(in "IF Condition"),
 input - refers to Incoming JSON Request

pattern - regex from the store file (Ex: "('[\s]*;|'[\s]*[\)]+|'[\s]*[\+]+|'[\s]*[\*]+|'[\s]*[\=]+)")

------------------------------
Vyasavardhan Ramagiri
------------------------------