Banned IP with facet filters

Nuno Aguiar

Posted on 05/08/2022 18:56:18

Hi,

We have customers getting their IP Banned when using this website www.dukal.com and selecting some filters. Here's the repro steps

Search for "esmark" and view all results
Filter by any size except 4" x 9"
Choose another size to filter (except 4" x 9") and you get banned

The reason for this is partly bad data, because they use the single quotes char as part of the value. Although it's encoding the single quotes, when you have 2 single quotes in the querystring, it bans you.

I wonder if this is because of too aggressive of a regex, or if there's something we can optimize.

I was also asked if we can extend/override Dynamicweb's banned IP regex and have our own. Maybe a notification subscriber I am not aware?

Best Regards,

Nuno Aguiar

Replies

Nicolai Pedersen

Posted on 08/08/2022 15:13:18

Add the parameter to the querystring parameter whitelist "Ignore the following fields".

You cannot override the regex.

Nuno Aguiar

Posted on 08/08/2022 15:29:38

Hi Nicolai,

Thank you for the info. Works like a charm.

About the Regex, I just want to provide the right answer to Scott. Are you saying we can't currently, or that it's a policy not to allow for it? There is some debate as to whether it would be a good feature for it.

BR,

Nuno Aguiar

Nicolai Pedersen

Posted on 08/08/2022 15:46:46

You cannot, and we will not open it up as it is request filtering and it will blow up if we open it.

You can just disable SQL injection and create your own request filtering. Be happy to share the current code in an email if you want.

Nuno Aguiar

Posted on 08/08/2022 15:55:49

Fair enough

Thank you

You must be logged in to post in the forum

Developer forum

Banned IP with facet filters

Replies