Azure Web Application Firewall (WAF) considerations
000008921|1/16/2019 10:10 AM
SDL Trados GroupShare 2017 (and later)
Web Application Firewall (WAF) from Azure, blocks connections to SDL Trados GroupShare initiated from SDL Trados Studio. The connections are considered as an attack or as a blind SQL injection. Message/Rule IDs that can be seen:
942430 - Restricted SQL Character Anomaly Detection (args): # of special characters exceeded (12)
920320 - Missing User Agent Header
The protections from WAF are provided by the Open Web Application Security Project (OWASP) Core Rule Set (CRS). These are general rules and some rules can cause false positives and block real traffic. That is why WAF has the capability to customize rule groups and rules. Please check below:
The issues being flagged are false/positives and they recommend customizing the WAF rules to take into consideration the client requests. See updates below:
SQL 12 Special Character limitation
We have looked at the logs and confirm this is a false\positive and it is an unrealistic ask to change the software. Considering that all access to GroupShare resource requests allows the usage of special characters for all user created content (organizations/libraries, TMs, TBs, projects, …), this would require a very considerably redevelopment of basic and key GroupShare functionality (= accessing GroupShare resources/content).
The User Agent request header - makes sense to include for a future release.
Usually only web browser applications use this, to inform the peers about the application, version, etc. of the accessing client. From a GroupShare application perspective we currently don’t require this (= doing a check of the, e.g. Studio, client version on the server), as we perform any relevant version controlling on the client, confirming that the GroupShare version one wants to connect to is valid/compatible.