MatchesPath is applied to a static parameter

Severity
Medium
Applies to
Target Proxy
Links
CWE-20

Why This Issue Is Important

Applying the MatchesPath function to static parameters in an Apigee proxy can create a security vulnerability. This function is typically used to match dynamic path segments, but when it is applied to static parameters, it can inadvertently allow attackers to manipulate the request path. For example, an attacker might introduce additional path parameters using delimiters like colons, semicolons, or equal signs, potentially altering the way the target system processes the request. This could lead to unexpected behavior, including unauthorized access or denial of service, especially if the application is not prepared to handle such malformed paths.

How This Issue Is Detected

CodeSent scans all conditions within the proxy, including flow conditions, step conditions, and route rule conditions, to identify any instances where the MatchesPath function is used.

The tool specifically looks for instances where MatchesPath is applied to static path parameters, which should ideally be compared using a strict equality check rather than pattern matching. This is done by finding patterns within the condition that use MatchesPath but do not involve dynamic or wildcard path segments (e.g., no curly braces {} indicating dynamic paths).


If CodeSent finds that MatchesPath is incorrectly applied to static parameters, it creates a trace to pinpoint where this is happening in the proxy configuration.

How to Fix the Issue

To fix this issue, replace the MatchesPath function with a strict comparison operator == when dealing with static parameters. This ensures that the comparison is exact and does not allow for any manipulation of the request path. By doing so, you can prevent attackers from exploiting the flexibility of MatchesPath to introduce unexpected parameters or alter the request path in a way that might compromise the system's integrity.

If your proxy configuration contains a condition like this:

<Condition>proxy.pathsuffix MatchesPath "/static/path"</Condition>

You should replace it with:

<Condition>proxy.pathsuffix == "/static/path"</Condition>

This change ensures that the request path must exactly match the static path, avoiding the risks associated with using MatchesPath for static values.