XML Threat Protection
XML Threat Protection is an interceptor that validates the contents of an XML, following pre-defined limits for a range of components. Thus, it avoids malicious attacks which send information outside the expected pattern.
To configure the interceptor, we have to fill in the fields of the image below with the desired values. You can read about all the pieces of information along this page.
Field: Name Limits
Element
It specifies the maximum name size for any element in the XML.
<Customers>
<Customer CustomerID="6s695dp84">
<CompanyName>Sensedia</CompanyName>
<ContactName>Howard Snyder</ContactName>
<ContactTitle>Marketing Manager</ContactTitle>
<Phone>(19) 555-7555</Phone>
<FullAddress>
<Address>Rua Dr. Ricardo Benetton Martins.</Address>
<City>Campinas</City>
<Region>SP</Region>
<PostalCode>13086-902</PostalCode>
<Country>BR</Country>
</FullAddress>
</Customer>
</Customers>
In the example above, we can set it to 12. Then, the interceptor will check if no name exceeds 12 characters.
Attribute
It specifies the maximum size for any attribute in the XML.
<Customer CustomerID="6s695dp84">
<CompanyName>Sensedia</CompanyName>
<ContactName>Howard Snyder</ContactName>
<ContactTitle>Marketing Manager</ContactTitle>
<Phone>(19) 555-7555</Phone>
</Customer>
In this example, the interceptor will verify if the size of the attribute CustomerID
is under the limit of characters defined in the settings.
Field: Structure Limits
Node depth
It specifies the maximum depth allowed.
<Customers>
<Customer CustomerID="6s695dp84">
<CompanyName>Sensedia</CompanyName>
<ContactName>Howard Snyder</ContactName>
<ContactTitle>Marketing Manager</ContactTitle>
<Phone>(19) 555-7555</Phone>
<FullAddress>
<Address>Rua Dr. Ricardo Benetton Martins.</Address>
<City>Campinas</City>
<Region>SP</Region>
<PostalCode>13086-902</PostalCode>
<Country>BR</Country>
</FullAddress>
</Customer>
</Customers>
In the example above, the depth is 4.
Attribute count per element
It specifies the amount of attributes per element.
<Customer CustomerID="3" CustomerID_web="s3ko05456sdsl">
In this example,there are two attributes: customerID
and CustomerID_web
.
Namespace count per element
It specifies the number of namespaces per element.
<sensedia:gateway xmlns:sensedia="http://sensedia.com" xmlns:manager="http:sensedia.com/api-manager"
manager:sensedia="sensedia">
In this example, there are three: xmlns:sensedia
, xmlns:manager
and manager:sensedia
.
Child count
It specifies the number of children of any element.
<Customers>
<Customer CustomerID="6s695dp84">
<CompanyName>Sensedia</CompanyName>
<ContactName>Howard Snyder</ContactName>
<ContactTitle>Marketing Manager</ContactTitle>
<Phone>(19) 555-7555</Phone>
<FullAddress>
<Address>Rua Dr. Ricardo Benetton Martins.</Address>
<City>Campinas</City>
<Region>SP</Region>
<PostalCode>13086-902</PostalCode>
<Country>BR</Country>
</FullAddress>
</Customer>
</Customers>
In the case above, the element Customer
has five children: CompanyName
, ContactName
, ContactTitle
, Phone
and FullAddress
Field: Value Limits
Text
It specifies the maximum number of characters in the value of any element.
<ContactTitle>Marketing Manager</ContactTitle>
In this example, the value Marketing Manager
has 17 characters.
Attribute
It specifies the maximum number of characters of the value of anyattribute.
<Customer CustomerID="6s695dp84">
In the example above, the value 6s695dp84
of the attribute CustomerID
has nine characters.
Namespace URI
It specifies the maximum number of characters in the value of any namespace.
<sensedia:gateway xmlns:sensedia="http://sensedia.com">
In this example, http://sensedia.com
has 19 characters.
Errors
Here are the errors that can be returned when the interceptor finds any irregularity regarding the specifications above.
Error | HTTP Code Request | HTTP Code Response | |
---|---|---|---|
XML |
XML format invalid |
400 |
500 |
Name Limits/Element |
Name limits element exceeds the maximum allowed for this API (n) |
400 |
500 |
Name Limits/Attribute |
Name limits attribute exceeds the maximum allowed for this API (n) |
400 |
500 |
Name Limits/Namespace prefix |
Name limits namespace prefix exceeds the maximum allowed for this API (n) |
400 |
500 |
Name Limits/Processing Instruction Target |
Name limits processing instruction target exceeds the maximum allowed for this API (n) |
400 |
500 |
Structure Limits/Node depth |
Structure limits node depth element exceeds the maximum allowed for this API (n) |
400 |
500 |
Structure Limits/Attribute count per element |
Structure limits attribute count per element exceeds the maximum allowed for this API (n) |
400 |
500 |
Structure Limits/Namespace count per element |
Structure limits namespace count per element exceeds the maximum allowed for this API (n) |
400 |
500 |
Structure Limits/Child count |
Structure limits child count exceeds the maximum allowed for this API (n) |
400 |
500 |
Value Limits/Text |
Value limits text exceeds the maximum allowed for this API (n) |
400 |
500 |
Value Limits/Attribute |
Value limits attribute exceeds the maximum allowed for this API (n) |
400 |
500 |
Value Limits/Namespace URI |
Value limits namespace URI exceeds the maximum allowed for this API (n) |
400 |
500 |
Value Limits/Comment |
Value limits comment exceeds the maximum allowed for this API (n) |
400 |
500 |
Value Limits/Processing Instruction Data |
Value limits processing instruction data exceeds the maximum allowed for this API (n) |
400 |
500 |
Invalid Content-Type |
XML threat protection validation failed: Invalid Content-Type in Header → (Content type) |
415 |
415 |
Content-Type not found |
XML threat protection validation failed: Content-Type not found in Header |
415 |
415 |
Share your suggestions with us!
Click here and then [+ Submit idea]