Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Dec 08, 2014

Reliably escaping special characters for HSL messages

Hi,

 

I'm developing a rule to log HTTP details to Splunk in JSON format via an HSL setup. I'm having problems when it comes to dealing with special characters when I build a formatted output string in JSON, as the strings pulled out of HTTP::header operations frequently contain characters, principally double quote marks, which break the broader JSON format.

 

There is a conflict between wanting to create nicely, well formatted log objects out of unknown, user (attacker?) submitted data which can't be fully known, so there's a line where it becomes potentially irresponsible to try to process data too much before logging it, but ideally i'm looking for a way to easily escape special characters on demand in a string.

 

Quite what would define "Special" I don't know, but I'm hoping there are some useful pointers in how to approach this in iRule land. For one I'm thinking a few try / catch block may be essential.

 

application delivery
design
devops
irule
iRules
LTM
security

1 Reply

Sort By
  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Dec 12, 2014

    Haven't done anything with HSL in the past, but given your concerns, I think there's a couple ways you could go about this.

     

    The first would be to use the URI::encode command (since it percent encodes the data like in a URI query string. Info). Problem here is that the data wouldn't be as readable unless you were to decode it later whenever you use it. And this is generally used for URIs instead of data, but it can be useful if it fits your requirements.

     

    My other suggestion would be to use the string map command in TCL to do your own encoding. If you look at the JSON web site, you can see how the format is laid out. At a minimum, you would want to escape double quotes, but you could add more if you were concerned with how another tool may process the JSON code. I don't have an iRule to test on right now but perhaps something like this would work (tested it in tclsh with success):

     

    [string map {\" \\\" } $YourDataToEscape]

    Hope this helps. I'm not sure how performant these commands are, though I'd think the string map is better than the other, since it's a built-in TCL command. Maybe somebody else can speak to that aspect of it.