Proxy doesn't have default flow

Severity
High
Applies to
Proxy
Links
CWE-20

Why This Issue Is Important

In an Apigee proxy, having a default flow (a flow without a condition) is crucial for ensuring that all incoming requests are appropriately handled, even if they don't match any specific conditions. Without a default flow, there's a risk that unexpected or unhandled data could pass through the proxy to the target system without proper validation. This creates a potential security vulnerability, as attackers might exploit this gap to bypass controls or inject harmful data.

How This Issue Is Detected

CodeSent scans the endpoint configuration to gather all conditional flows, which are flows with specific conditions that determine when they are executed.

The tool checks if there is at least one flow that doesn't have a condition, which would act as the default flow for handling requests that don't match any specific conditions.

If no such default flow is found, CodeSent flags this as a potential risk.

How to Fix the Issue

To fix this issue, you should create a default flow in your proxy configuration that will handle any requests that don't match specific conditions.

If your proxy currently has only conditional flows like this:

<Flow name="SpecificConditionFlow">
    <Condition>proxy.pathsuffix == "/specific-path"</Condition>
    <Request>
        ...
        <Step>
            <Name>SomePolicy</Name>
        </Step>
        ...
    </Request>
</Flow>

You should add a default flow without a condition:

<Flow name="DefaultFlow">
    <Request>
        ...
        <Step>
            <Name>SomePolicy</Name>
        </Step>
        ...
    </Request>
</Flow>