PO011 | Service Callout Target - Dynamic URLs

[davidwallen]

Error on dynamic URLs in target server URL tag.

[DinoChiesa]

Just doing some housekeeping on older tickets.

This check is really hard to implement. To set a dynamic URL path for a ServiceCallout policy, one can set the well-known variable sc_urlPath. To set the scheme (http or https) and host, one must set a variable like servicecallout.POLICYNAME.target.url, where POLICYNAME is the name of the ServiceCallout policy.

It is relatively easy to look for AssignMessage /AssignVariable elements that refer to variable names with that structure. However, that won't cover all of the scenarios.

A checker would also have to check all JavaScript code, checking for context.SetVariable() using a variable name which matches that structure. That is just a little more difficult that scanning AssignMessage, if we look for just hard-coded variable names. But variable names need not be hard-coded in JavaScript of course. They can be dynamically determined. And of course context variables can be set by Java code too, and Python. Really there's no practical way to build a check that rules out all of these possibilities.

We could do a basic check of AssignMessage, that's no problem. Would it provide a false sense of security?