search triggers AWS WAF because the query looks like a sql injection

[dgagnon]

Here is an example that triggers it: /admin/app/user/?q=first_name+%3D+%22First%22+and+last_name+%3D+%22Last%22&o=-12.-11.3

The specific rule being triggered is: AWS#AWSManagedRulesSQLiRuleSet#SQLi_QUERYARGUMENTS

While it is possible to disable the rule for the admin panel, it is not acceptable in a compliant environment.

[stebunovd]

Hi Daniel,

Thank you for flagging that. Do you have any ideas on how to solve that? I don't think we can avoid using query string since it's how search works in Django admin. Using some kind of encoding (such as base64) will likely break projects that directly link to search results in the admin. Also, I'm not sure - maybe WAF is smart enough to decode base64 strings to see what's inside. Any ideas?

Thanks,

Denis

[dgagnon]

well, for sure, any changes to fix this would be breaking. I guess it could be possible to add a v=2 parameter and pass it through the new parser instead, a bit like DRF versioning.

I did a quick search last night and couldn't find the actual rule content, but I am not giving up. Once with that in hand, it will be easier to craft a fix.

Great job on the tool btw.