AWS WAF now lets you inspect fragments of request URIs. You can specify the scope of the URI to inspect and narrow the set of URI fragments.

Author: aws-sdk-dotnet-automation

generator/ServiceModels/wafv2/wafv2-2019-07-29.api.json

@@ -1986,7 +1986,8 @@
         "Cookies":{"shape":"Cookies"},
         "HeaderOrder":{"shape":"HeaderOrder"},
         "JA3Fingerprint":{"shape":"JA3Fingerprint"},
-        "JA4Fingerprint":{"shape":"JA4Fingerprint"}
+        "JA4Fingerprint":{"shape":"JA4Fingerprint"},
+        "UriFragment":{"shape":"UriFragment"}
       }
     },
     "FieldToMatchData":{
@@ -4255,6 +4256,12 @@
         "NextLockToken":{"shape":"LockToken"}
       }
     },
+    "UriFragment":{
+      "type":"structure",
+      "members":{
+        "FallbackBehavior":{"shape":"FallbackBehavior"}
+      }
+    },
     "UriPath":{
       "type":"structure",
       "members":{

generator/ServiceModels/wafv2/wafv2-2019-07-29.docs.json

@@ -831,7 +831,8 @@
         "JA3Fingerprint$FallbackBehavior": "<p>The match status to assign to the web request if the request doesn't have a JA3 fingerprint. </p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>",
         "JA4Fingerprint$FallbackBehavior": "<p>The match status to assign to the web request if the request doesn't have a JA4 fingerprint. </p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>",
         "RateLimitJA3Fingerprint$FallbackBehavior": "<p>The match status to assign to the web request if there is insufficient TSL Client Hello information to compute the JA3 fingerprint.</p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>",
-        "RateLimitJA4Fingerprint$FallbackBehavior": "<p>The match status to assign to the web request if there is insufficient TSL Client Hello information to compute the JA4 fingerprint.</p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>"
+        "RateLimitJA4Fingerprint$FallbackBehavior": "<p>The match status to assign to the web request if there is insufficient TSL Client Hello information to compute the JA4 fingerprint.</p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>",
+        "UriFragment$FallbackBehavior": "<p>What WAF should do if it fails to completely parse the JSON body. The options are the following:</p> <ul> <li> <p> <code>EVALUATE_AS_STRING</code> - Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.</p> </li> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul> <p>If you don't provide this setting, WAF parses and evaluates the content only up to the first parsing failure that it encounters. </p> <p>Example JSON: <code>{ \"UriFragment\": { \"FallbackBehavior\": \"MATCH\"} }</code> </p> <note> <p>WAF parsing doesn't fully validate the input JSON string, so parsing can succeed even for invalid JSON. When parsing succeeds, WAF doesn't apply the fallback behavior. For more information, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body\">JSON body</a> in the <i>WAF Developer Guide</i>.</p> </note>"
       }
     },
     "FieldIdentifier": {
@@ -2709,6 +2710,12 @@
       "refs": {
       }
     },
+    "UriFragment": {
+      "base": "<p>Inspect fragments of the request URI. You can specify the parts of the URI fragment to inspect and you can narrow the set of URI fragments to inspect by including or excluding specific keys. </p> <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p> <p>Example JSON: <code>\"UriFragment\": { \"MatchPattern\": { \"All\": {} }, \"MatchScope\": \"KEY\", \"OversizeHandling\": \"MATCH\" }</code> </p>",
+      "refs": {
+        "FieldToMatch$UriFragment": "<p>Inspect fragments of the request URI. You must configure scope and pattern matching filters in the <code>UriFragment</code> object, to define the fragment of a URI that WAF inspects. </p> <p>Only the first 8 KB (8192 bytes) of a request's URI fragments and only the first 200 URI fragments are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize URI fragment content in the <code>UriFragment</code> object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service. </p>"
+      }
+    },
     "UriPath": {
       "base": "<p>Inspect the path component of the URI of the web request. This is the part of the web request that identifies a resource. For example, <code>/images/daily-ad.jpg</code>.</p> <p>This is used in the <a>FieldToMatch</a> specification for some web request component types. </p> <p>JSON specification: <code>\"UriPath\": {}</code> </p>",
       "refs": {

generator/ServiceModels/wafv2/wafv2-2019-07-29.normal.json

@@ -2556,6 +2556,10 @@
         "JA4Fingerprint":{
           "shape":"JA4Fingerprint",
           "documentation":"<p>Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA4 fingerprint. The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.</p> <note> <p>You can use this choice only with a string match <code>ByteMatchStatement</code> with the <code>PositionalConstraint</code> set to <code>EXACTLY</code>. </p> </note> <p>You can obtain the JA4 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields</a> in the <i>WAF Developer Guide</i>. </p> <p>Provide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.</p>"
+        },
+        "UriFragment":{
+          "shape":"UriFragment",
+          "documentation":"<p>Inspect fragments of the request URI. You must configure scope and pattern matching filters in the <code>UriFragment</code> object, to define the fragment of a URI that WAF inspects. </p> <p>Only the first 8 KB (8192 bytes) of a request's URI fragments and only the first 200 URI fragments are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize URI fragment content in the <code>UriFragment</code> object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service. </p>"
         }
       },
       "documentation":"<p>Specifies a web request component to be used in a rule match statement or in a logging configuration. </p> <ul> <li> <p>In a rule statement, this is the part of the web request that you want WAF to inspect. Include the single <code>FieldToMatch</code> type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in <code>FieldToMatch</code> for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.</p> <p>Example JSON for a <code>QueryString</code> field to match: </p> <p> <code> \"FieldToMatch\": { \"QueryString\": {} }</code> </p> <p>Example JSON for a <code>Method</code> field to match specification:</p> <p> <code> \"FieldToMatch\": { \"Method\": { \"Name\": \"DELETE\" } }</code> </p> </li> <li> <p>In a logging configuration, this is used in the <code>RedactedFields</code> property to specify a field to redact from the logging records. For this use case, note the following: </p> <ul> <li> <p>Even though all <code>FieldToMatch</code> settings are available, the only valid settings for field redaction are <code>UriPath</code>, <code>QueryString</code>, <code>SingleHeader</code>, and <code>Method</code>.</p> </li> <li> <p>In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. </p> </li> <li> <p>If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. You can only exclude fields from request sampling by disabling sampling in the web ACL visibility configuration or by configuring data protection for the web ACL.</p> </li> </ul> </li> </ul>"
@@ -6304,6 +6308,16 @@
         }
       }
     },
+    "UriFragment":{
+      "type":"structure",
+      "members":{
+        "FallbackBehavior":{
+          "shape":"FallbackBehavior",
+          "documentation":"<p>What WAF should do if it fails to completely parse the JSON body. The options are the following:</p> <ul> <li> <p> <code>EVALUATE_AS_STRING</code> - Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.</p> </li> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul> <p>If you don't provide this setting, WAF parses and evaluates the content only up to the first parsing failure that it encounters. </p> <p>Example JSON: <code>{ \"UriFragment\": { \"FallbackBehavior\": \"MATCH\"} }</code> </p> <note> <p>WAF parsing doesn't fully validate the input JSON string, so parsing can succeed even for invalid JSON. When parsing succeeds, WAF doesn't apply the fallback behavior. For more information, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body\">JSON body</a> in the <i>WAF Developer Guide</i>.</p> </note>"
+        }
+      },
+      "documentation":"<p>Inspect fragments of the request URI. You can specify the parts of the URI fragment to inspect and you can narrow the set of URI fragments to inspect by including or excluding specific keys. </p> <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p> <p>Example JSON: <code>\"UriFragment\": { \"MatchPattern\": { \"All\": {} }, \"MatchScope\": \"KEY\", \"OversizeHandling\": \"MATCH\" }</code> </p>"
+    },
     "UriPath":{
       "type":"structure",
       "members":{

sdk/src/Services/WAFV2/Generated/Model/FieldToMatch.cs

@@ -98,6 +98,7 @@ public partial class FieldToMatch
         private QueryString _queryString;
         private SingleHeader _singleHeader;
         private SingleQueryArgument _singleQueryArgument;
+        private UriFragment _uriFragment;
         private UriPath _uriPath;
 
         /// <summary>
@@ -451,6 +452,34 @@ internal bool IsSetSingleQueryArgument()
             return this._singleQueryArgument != null;
         }
 
+        /// <summary>
+        /// Gets and sets the property UriFragment. 
+        /// <para>
+        /// Inspect fragments of the request URI. You must configure scope and pattern matching
+        /// filters in the <c>UriFragment</c> object, to define the fragment of a URI that WAF
+        /// inspects. 
+        /// </para>
+        ///  
+        /// <para>
+        /// Only the first 8 KB (8192 bytes) of a request's URI fragments and only the first 200
+        /// URI fragments are forwarded to WAF for inspection by the underlying host service.
+        /// You must configure how to handle any oversize URI fragment content in the <c>UriFragment</c>
+        /// object. WAF applies the pattern matching filters to the cookies that it receives from
+        /// the underlying host service. 
+        /// </para>
+        /// </summary>
+        public UriFragment UriFragment
+        {
+            get { return this._uriFragment; }
+            set { this._uriFragment = value; }
+        }
+
+        // Check to see if UriFragment property is set
+        internal bool IsSetUriFragment()
+        {
+            return this._uriFragment != null;
+        }
+
         /// <summary>
         /// Gets and sets the property UriPath. 
         /// <para>

sdk/src/Services/WAFV2/Generated/Model/Internal/MarshallTransformations/FieldToMatchMarshaller.cs

@@ -180,6 +180,17 @@ public void Marshall(FieldToMatch requestObject, JsonMarshallerContext context)
                 context.Writer.WriteObjectEnd();
             }
 
+            if(requestObject.IsSetUriFragment())
+            {
+                context.Writer.WritePropertyName("UriFragment");
+                context.Writer.WriteObjectStart();
+
+                var marshaller = UriFragmentMarshaller.Instance;
+                marshaller.Marshall(requestObject.UriFragment, context);
+
+                context.Writer.WriteObjectEnd();
+            }
+
             if(requestObject.IsSetUriPath())
             {
                 context.Writer.WritePropertyName("UriPath");

sdk/src/Services/WAFV2/Generated/Model/Internal/MarshallTransformations/FieldToMatchUnmarshaller.cs

@@ -138,6 +138,12 @@ public FieldToMatch Unmarshall(JsonUnmarshallerContext context)
                     unmarshalledObject.SingleQueryArgument = unmarshaller.Unmarshall(context);
                     continue;
                 }
+                if (context.TestExpression("UriFragment", targetDepth))
+                {
+                    var unmarshaller = UriFragmentUnmarshaller.Instance;
+                    unmarshalledObject.UriFragment = unmarshaller.Unmarshall(context);
+                    continue;
+                }
                 if (context.TestExpression("UriPath", targetDepth))
                 {
                     var unmarshaller = UriPathUnmarshaller.Instance;

sdk/src/Services/WAFV2/Generated/Model/Internal/MarshallTransformations/UriFragmentMarshaller.cs

@@ -0,0 +1,65 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ * 
+ *  http://aws.amazon.com/apache2.0
+ * 
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Do not modify this file. This file is generated from the wafv2-2019-07-29.normal.json service model.
+ */
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.IO;
+using System.Text;
+using System.Xml.Serialization;
+
+using Amazon.WAFV2.Model;
+using Amazon.Runtime;
+using Amazon.Runtime.Internal;
+using Amazon.Runtime.Internal.Transform;
+using Amazon.Runtime.Internal.Util;
+using ThirdParty.Json.LitJson;
+
+#pragma warning disable CS0612,CS0618
+namespace Amazon.WAFV2.Model.Internal.MarshallTransformations
+{
+    /// <summary>
+    /// UriFragment Marshaller
+    /// </summary>
+    public class UriFragmentMarshaller : IRequestMarshaller<UriFragment, JsonMarshallerContext> 
+    {
+        /// <summary>
+        /// Unmarshaller the response from the service to the response class.
+        /// </summary>  
+        /// <param name="requestObject"></param>
+        /// <param name="context"></param>
+        /// <returns></returns>
+        public void Marshall(UriFragment requestObject, JsonMarshallerContext context)
+        {
+            if(requestObject == null)
+                return;
+            if(requestObject.IsSetFallbackBehavior())
+            {
+                context.Writer.WritePropertyName("FallbackBehavior");
+                context.Writer.Write(requestObject.FallbackBehavior);
+            }
+
+        }
+
+        /// <summary>
+        /// Singleton Marshaller.
+        /// </summary>
+        public readonly static UriFragmentMarshaller Instance = new UriFragmentMarshaller();
+
+    }
+}

sdk/src/Services/WAFV2/Generated/Model/Internal/MarshallTransformations/UriFragmentUnmarshaller.cs

@@ -0,0 +1,93 @@
+/*
+ * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+ * 
+ * Licensed under the Apache License, Version 2.0 (the "License").
+ * You may not use this file except in compliance with the License.
+ * A copy of the License is located at
+ * 
+ *  http://aws.amazon.com/apache2.0
+ * 
+ * or in the "license" file accompanying this file. This file is distributed
+ * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
+ * express or implied. See the License for the specific language governing
+ * permissions and limitations under the License.
+ */
+
+/*
+ * Do not modify this file. This file is generated from the wafv2-2019-07-29.normal.json service model.
+ */
+using System;
+using System.Collections.Generic;
+using System.Globalization;
+using System.IO;
+using System.Net;
+using System.Text;
+using System.Xml.Serialization;
+
+using Amazon.WAFV2.Model;
+using Amazon.Runtime;
+using Amazon.Runtime.Internal;
+using Amazon.Runtime.Internal.Transform;
+using Amazon.Runtime.Internal.Util;
+using ThirdParty.Json.LitJson;
+
+#pragma warning disable CS0612,CS0618
+namespace Amazon.WAFV2.Model.Internal.MarshallTransformations
+{
+    /// <summary>
+    /// Response Unmarshaller for UriFragment Object
+    /// </summary>  
+    public class UriFragmentUnmarshaller : IUnmarshaller<UriFragment, XmlUnmarshallerContext>, IUnmarshaller<UriFragment, JsonUnmarshallerContext>
+    {
+        /// <summary>
+        /// Unmarshaller the response from the service to the response class.
+        /// </summary>  
+        /// <param name="context"></param>
+        /// <returns></returns>
+        UriFragment IUnmarshaller<UriFragment, XmlUnmarshallerContext>.Unmarshall(XmlUnmarshallerContext context)
+        {
+            throw new NotImplementedException();
+        }
+
+        /// <summary>
+        /// Unmarshaller the response from the service to the response class.
+        /// </summary>  
+        /// <param name="context"></param>
+        /// <returns>The unmarshalled object</returns>
+        public UriFragment Unmarshall(JsonUnmarshallerContext context)
+        {
+            UriFragment unmarshalledObject = new UriFragment();
+            if (context.IsEmptyResponse)
+                return null;
+            context.Read();
+            if (context.CurrentTokenType == JsonToken.Null) 
+                return null;
+
+            int targetDepth = context.CurrentDepth;
+            while (context.ReadAtDepth(targetDepth))
+            {
+                if (context.TestExpression("FallbackBehavior", targetDepth))
+                {
+                    var unmarshaller = StringUnmarshaller.Instance;
+                    unmarshalledObject.FallbackBehavior = unmarshaller.Unmarshall(context);
+                    continue;
+                }
+            }
+            return unmarshalledObject;
+        }
+
+
+        private static UriFragmentUnmarshaller _instance = new UriFragmentUnmarshaller();        
+
+        /// <summary>
+        /// Gets the singleton.
+        /// </summary>  
+        public static UriFragmentUnmarshaller Instance
+        {
+            get
+            {
+                return _instance;
+            }
+        }
+    }
+}