Overview

In this lab, you use the RegularExpressionProtection policy to detect malicious requests.

Objectives

In this lab, you learn how to protect your API proxy against malicious requests using regular expressions.

Setup

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Qwiklabs using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time.
   There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts.
   If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

   

2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

• You can list the active account name with this command:

gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net

• You can list the project ID with this command:

gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

Task 1. Create a new proxy

In this task, you create a new API proxy.

Pin the Apigee console page

1. In the Google Cloud console, on the Navigation menu (), look for Apigee in the Pinned Products section.

   The Apigee console page will open.

2. If Apigee is not pinned, search for Apigee in the top search bar and navigate to the Apigee service.

3. Hover over the name, then click the pin icon ().

   The Apigee console page will now be pinned to the Navigation menu.

Create the proxy

1. On the left navigation menu, select Proxy development > API proxies.

2. To start the proxy wizard, click +Create.

3. Leave Proxy template unchanged.

4. Specify the following settings:

   Property	Value
   Proxy Name	lab5a-v1
   Base path	/lab5a/v1
   Target (Existing API)	https://httpbin.org/anything

   The httpbin.org/anything API returns detailed information about the API request it was sent.

   Note: Confirm that you are using "/lab5a/v1" for the base path, and not "/lab5a-v1".

5. Click Create.

6. Click the Develop tab.

Task 2. Add a RegularExpressionProtection policy

In this task, you add a RegularExpressionProtection policy to protect against malicious requests.

1. Click Proxy endpoints > default > PreFlow.

2. On the Request PreFlow, click Add Policy Step (+).

   

3. In the Add policy step pane, select Create new policy, and then select Security > Regular Expression Protection.

4. Specify the following values:

   Property	Value
   Name	RegexTP-SQLInjection
   Display name	RegexTP-SQLInjection

5. Click Add.

6. Click Policies > RegexTP-SQLInjection.

7. Replace the policy's default configuration with:

   <RegularExpressionProtection continueOnError="false" enabled="true" name="RegexTP-SQLInjection"> <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables> <QueryParam name="test"> <Pattern>[\s]*(?i)((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern> </QueryParam> <Source>request</Source> </RegularExpressionProtection>

   A RegularExpressionProtection policy raises a fault if any of the regular expressions in the policy match the data in the configured location.

   The Source is set to request. A RegularExpressionProtection policy can validate many parts of the request. In this case, the policy is configured to check the query parameter named test using a regular expression that contains several dangerous SQL patterns.

   Note: The pattern configured in the proxy is an example regular expression intended for use in this lab. It is not intended to recommend a pattern that would protect your proxies in a production environment. You should consult your security team to determine the regular expressions necessary to protect your APIs for your specific scenarios.

8. Click Save.

9. Click Deploy.

10. To specify that you want the new revision deployed to the eval environment, select eval as the Environment, and then click Deploy.

11. Click Confirm.

Check deployment status

A proxy that is deployed and ready to take traffic will show a green status on the Overview tab.

When a proxy is marked as deployed but the runtime is not yet available and the environment is not yet attached, you may see a red warning sign. Hold the pointer over the Status icon to see the current status.

If the proxy is deployed and shows as green, your proxy is ready for API traffic. If your proxy is not deployed because there are no runtime pods, you can check the provisioning status.

Check provisioning status

• In Cloud Shell, to confirm that the runtime instance has been installed and the eval environment has been attached, run the following commands:

  export PROJECT_ID=$(gcloud config list --format 'value(core.project)'); echo "PROJECT_ID=${PROJECT_ID}"; export INSTANCE_NAME=eval-instance; export ENV_NAME=eval; export PREV_INSTANCE_STATE=; echo "waiting for runtime instance ${INSTANCE_NAME} to be active"; while : ; do export INSTANCE_STATE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${PROJECT_ID}/instances/${INSTANCE_NAME}" | jq "select(.state != null) | .state" --raw-output); [[ "${INSTANCE_STATE}" == "${PREV_INSTANCE_STATE}" ]] || (echo; echo "INSTANCE_STATE=${INSTANCE_STATE}"); export PREV_INSTANCE_STATE=${INSTANCE_STATE}; [[ "${INSTANCE_STATE}" != "ACTIVE" ]] || break; echo -n "."; sleep 5; done; echo; echo "instance created, waiting for environment ${ENV_NAME} to be attached to instance"; while : ; do export ATTACHMENT_DONE=$(curl -s -H "Authorization: Bearer $(gcloud auth print-access-token)" -X GET "https://apigee.googleapis.com/v1/organizations/${PROJECT_ID}/instances/${INSTANCE_NAME}/attachments" | jq "select(.attachments != null) | .attachments[] | select(.environment == \"${ENV_NAME}\") | .environment" --join-output); [[ "${ATTACHMENT_DONE}" != "${ENV_NAME}" ]] || break; echo -n "."; sleep 5; done; echo "***ORG IS READY TO USE***";

  When the script returns ORG IS READY TO USE, you can proceed to the next steps.

While you are waiting

While you wait for the lab to start up, learn more about the policy and regular expressions:

• Documentation for the policy — RegularExpressionProtection policy reference
• Entry for regular expressions, containing good examples of the syntax — Wikipedia: Regular Expressions

Task 3. Test the API proxy

In this task, you use curl to test your proxy.

Test the API proxy using private DNS

The eval environment in the Apigee organization can be called using the hostname eval.example.com. The DNS entry for this hostname has been created within your project, and it resolves to the IP address of the Apigee runtime instance. This DNS entry has been created in a private zone, which means it is only visible on the internal network.

Cloud Shell does not reside on the internal network, so Cloud Shell commands cannot resolve this DNS entry. A virtual machine (VM) within your project can access the private zone DNS. A virtual machine named apigeex-test-vm was automatically created for this purpose. You can make API proxy calls from this machine.

The curl command will be used to send API requests to an API proxy. The -k option for curl tells it to skip verification of the TLS certificate. For this lab, the Apigee runtime uses a self-signed certificate. For a production environment, you should use certificates that have been created by a trusted certificate authority (CA).

1. In Cloud Shell, open a new tab, and then open an SSH connection to your test VM:

   TEST_VM_ZONE=$(gcloud compute instances list --filter="name=('apigeex-test-vm')" --format "value(zone)") gcloud compute ssh apigeex-test-vm --zone=${TEST_VM_ZONE} --force-key-file-overwrite

   The first gcloud command retrieves the zone of the test VM, and the second opens the SSH connection to the VM.

2. If asked to authorize, click Authorize.

   For each question asked in the Cloud Shell, click Enter or Return to specify the default input.

   Your logged in identity is the owner of the project, so SSH to this machine is allowed.

   Your Cloud Shell session is now running inside the VM.

Call the proxy

1. In the Cloud Shell SSH session, send the following curl command:

   curl -i -k -X GET "https://eval.example.com/lab5a/v1"

   The curl command responds successfully with the response from httpbin.org. There was no query parameter named test, so there was no invalid pattern detected.

2. Send the following curl command:

   curl -i -k -X GET "https://eval.example.com/lab5a/v1?test=ok"

   This command sends the test query parameter with the value ok. This does not match the regular expression in the policy, so the policy does not raise a fault, and the curl command responds successfully with the response from httpbin.org.

3. Send the following curl command:

   curl -i -k -X GET "https://eval.example.com/lab5a/v1?test=delete"

   This command sends the test query parameter with the value delete. This matches the regular expression in the policy, so this time the policy raises a fault, and httpbin.org is never called.

   Note: The default status code for the error, 500 Internal Server Error, should typically be changed. This error is occurring because an illegal request was sent by the client, so 400 Bad Request would be a better status code to return.
   It is typically appropriate to rewrite the error message as well, because the regular expression that matches the request is shown in the error response (as shown above), and you typically do not want a malicious actor to know the regular expressions that are protecting your proxy.

Congratulations!

In this lab, you used the RegularExpressionProtection policy to detect a dangerous input and reject the request.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.