AssignMessage request parameters pollution

Severity
High
Applies to
AssignMessage
Links
CWE-20

Why This Issue Is Important

In an Apigee proxy, the AssignMessage policy is used to modify or construct messages by adding or setting headers, query parameters, or payloads. If the policy adds parameters to the request instead of setting them, it can lead to a security vulnerability known as parameter pollution. Parameter pollution occurs when an attacker introduces parameters before they are added by the AssignMessage policy, potentially overriding the intended request processing logic. This can result in unauthorized access, data manipulation, or other unexpected behavior

Ensuring that parameters are set (using the Set tag) rather than added (using the Add tag) is crucial to maintaining the integrity of the request processing logic and preventing attackers from exploiting this weakness.

How This Issue Is Detected

CodeSent scans the AssignMessage policy to identify any operations where parameters are added to the request using the Add tag. The tool checks if the parameters should be set using the Set tag instead, ensuring that any existing parameters are replaced rather than appended. If the Add operation is detected in a context where it could lead to parameter pollution, CodeSent flags this as a potential security risk.

How to Fix the Issue

To fix this issue, you should change the AssignMessage policy to use the Set tag instead of the Add tag when dealing with request parameters. 

If your AssignMessage policy currently looks like this:

<AssignMessage name="AddQueryParam">
    <Add>
        <QueryParams>
            <QueryParam name="user">JohnDoe</QueryParam>
        </QueryParams>
    </Add>
</AssignMessage>

You should change it to use the Set tag:

<AssignMessage name="SetQueryParam">
    <Set>
        <QueryParams>
            <QueryParam name="user">JohnDoe</QueryParam>
        </QueryParams>
    </Set>
</AssignMessage>

This ensures that the user parameter is explicitly set, replacing any existing value, thereby preventing parameter pollution and ensuring the integrity and security of the request processing logic in the proxy.