JSONThreatProtection policy is not applied to a request body with JSON type

Severity
High
Applies to
Flow
Links
CWE-502 CWE-20

Why This Issue Is Important

In an Apigee proxy, when a flow accepts a JSON request body and parses it, applying a JSONThreatProtection policy before the parsing step is crucial. The JSONThreatProtection policy ensures that the incoming JSON data is validated for potential security threats, such as malicious payloads, before the data is processed. If this policy is not applied, the system becomes vulnerable to various attacks, including injection attacks or payload-based exploits, which could lead to data corruption, security breaches, or denial of service.

How This Issue Is Detected

CodeSent scans the flow to identify steps where the request body is parsed as JSON. Then the tool checks if a JSONThreatProtection policy is applied before any JSON parsing step. If the policy is not found in the steps preceding the JSON parsing, CodeSent flags this as a potential security risk.

How to Fix the Issue

To fix this issue, you should apply the JSONThreatProtection policy before any JSON parsing occurs in the flow.