@aws-sdk/client-wafv2 3.130.0 → 3.131.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +11 -0
- package/README.md +1 -1
- package/dist-cjs/models/models_0.js +10 -5
- package/dist-cjs/protocols/Aws_json1_1.js +2 -0
- package/dist-es/models/models_0.js +5 -0
- package/dist-es/protocols/Aws_json1_1.js +2 -1
- package/dist-types/WAFV2.d.ts +30 -15
- package/dist-types/WAFV2Client.d.ts +1 -1
- package/dist-types/commands/DeleteWebACLCommand.d.ts +6 -5
- package/dist-types/commands/DisassociateWebACLCommand.d.ts +2 -2
- package/dist-types/commands/GetMobileSdkReleaseCommand.d.ts +2 -1
- package/dist-types/commands/GetRateBasedStatementManagedKeysCommand.d.ts +14 -3
- package/dist-types/commands/ListMobileSdkReleasesCommand.d.ts +2 -1
- package/dist-types/commands/UpdateManagedRuleSetVersionExpiryDateCommand.d.ts +1 -1
- package/dist-types/commands/UpdateWebACLCommand.d.ts +2 -1
- package/dist-types/models/models_0.d.ts +261 -186
- package/package.json +4 -4
|
@@ -25,8 +25,7 @@ export declare namespace ActionCondition {
|
|
|
25
25
|
}
|
|
26
26
|
/**
|
|
27
27
|
* <p>Inspect all of the elements that WAF has parsed and extracted from the web request
|
|
28
|
-
* component that you've identified in your <a>FieldToMatch</a> specifications.
|
|
29
|
-
* </p>
|
|
28
|
+
* component that you've identified in your <a>FieldToMatch</a> specifications. </p>
|
|
30
29
|
* <p>This is used only in the <a>FieldToMatch</a> specification for some web request component types. </p>
|
|
31
30
|
* <p>JSON specification: <code>"All": {}</code>
|
|
32
31
|
* </p>
|
|
@@ -103,7 +102,7 @@ export declare namespace AllowAction {
|
|
|
103
102
|
}
|
|
104
103
|
/**
|
|
105
104
|
* <p>Inspect all query arguments of the web request. </p>
|
|
106
|
-
*
|
|
105
|
+
* <p>This is used only in the <a>FieldToMatch</a> specification for some web request component types. </p>
|
|
107
106
|
* <p>JSON specification: <code>"AllQueryArguments": {}</code>
|
|
108
107
|
* </p>
|
|
109
108
|
*/
|
|
@@ -121,8 +120,9 @@ export declare enum OversizeHandling {
|
|
|
121
120
|
NO_MATCH = "NO_MATCH"
|
|
122
121
|
}
|
|
123
122
|
/**
|
|
124
|
-
* <p>Inspect the body of the web request. The body immediately follows the request
|
|
125
|
-
*
|
|
123
|
+
* <p>Inspect the body of the web request. The body immediately follows the request
|
|
124
|
+
* headers.</p>
|
|
125
|
+
* <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p>
|
|
126
126
|
*/
|
|
127
127
|
export interface Body {
|
|
128
128
|
/**
|
|
@@ -163,7 +163,7 @@ export declare namespace Body {
|
|
|
163
163
|
/**
|
|
164
164
|
* <p>The filter to use to identify the subset of cookies to inspect in a web request. </p>
|
|
165
165
|
* <p>You must specify exactly one setting: either <code>All</code>, <code>IncludedCookies</code>, or <code>ExcludedCookies</code>.</p>
|
|
166
|
-
* <p>Example JSON: <code>"
|
|
166
|
+
* <p>Example JSON: <code>"MatchPattern": { "IncludedCookies": {"KeyToInclude1", "KeyToInclude2", "KeyToInclude3"} }</code>
|
|
167
167
|
* </p>
|
|
168
168
|
*/
|
|
169
169
|
export interface CookieMatchPattern {
|
|
@@ -172,11 +172,13 @@ export interface CookieMatchPattern {
|
|
|
172
172
|
*/
|
|
173
173
|
All?: All;
|
|
174
174
|
/**
|
|
175
|
-
* <p>Inspect only the cookies that have a key that matches one of the strings specified here.
|
|
175
|
+
* <p>Inspect only the cookies that have a key that matches one of the strings specified here.
|
|
176
|
+
* </p>
|
|
176
177
|
*/
|
|
177
178
|
IncludedCookies?: string[];
|
|
178
179
|
/**
|
|
179
|
-
* <p>Inspect only the cookies whose keys don't match any of the strings specified here.
|
|
180
|
+
* <p>Inspect only the cookies whose keys don't match any of the strings specified here.
|
|
181
|
+
* </p>
|
|
180
182
|
*/
|
|
181
183
|
ExcludedCookies?: string[];
|
|
182
184
|
}
|
|
@@ -192,23 +194,25 @@ export declare enum MapMatchScope {
|
|
|
192
194
|
VALUE = "VALUE"
|
|
193
195
|
}
|
|
194
196
|
/**
|
|
195
|
-
* <p>Inspect the cookies in the web request. You can specify the parts of the cookies to
|
|
196
|
-
*
|
|
197
|
-
*
|
|
198
|
-
* <p>
|
|
197
|
+
* <p>Inspect the cookies in the web request. You can specify the parts of the cookies to
|
|
198
|
+
* inspect and you can narrow the set of cookies to inspect by including or excluding specific
|
|
199
|
+
* keys.</p>
|
|
200
|
+
* <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p>
|
|
201
|
+
* <p>Example JSON: <code>"Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY",
|
|
202
|
+
* "OversizeHandling": "MATCH" }</code>
|
|
199
203
|
* </p>
|
|
200
204
|
*/
|
|
201
205
|
export interface Cookies {
|
|
202
206
|
/**
|
|
203
207
|
* <p>The filter to use to identify the subset of cookies to inspect in a web request. </p>
|
|
204
208
|
* <p>You must specify exactly one setting: either <code>All</code>, <code>IncludedCookies</code>, or <code>ExcludedCookies</code>.</p>
|
|
205
|
-
* <p>Example JSON: <code>"
|
|
209
|
+
* <p>Example JSON: <code>"MatchPattern": { "IncludedCookies": {"KeyToInclude1", "KeyToInclude2", "KeyToInclude3"} }</code>
|
|
206
210
|
* </p>
|
|
207
211
|
*/
|
|
208
212
|
MatchPattern: CookieMatchPattern | undefined;
|
|
209
213
|
/**
|
|
210
|
-
* <p>The parts of the cookies to inspect with the rule inspection criteria. If you
|
|
211
|
-
*
|
|
214
|
+
* <p>The parts of the cookies to inspect with the rule inspection criteria. If you specify
|
|
215
|
+
* <code>All</code>, WAF inspects both keys and values. </p>
|
|
212
216
|
*/
|
|
213
217
|
MatchScope: MapMatchScope | string | undefined;
|
|
214
218
|
/**
|
|
@@ -245,7 +249,7 @@ export declare namespace Cookies {
|
|
|
245
249
|
/**
|
|
246
250
|
* <p>The filter to use to identify the subset of headers to inspect in a web request. </p>
|
|
247
251
|
* <p>You must specify exactly one setting: either <code>All</code>, <code>IncludedHeaders</code>, or <code>ExcludedHeaders</code>.</p>
|
|
248
|
-
* <p>Example JSON: <code>"
|
|
252
|
+
* <p>Example JSON: <code>"MatchPattern": { "ExcludedHeaders": {"KeyToExclude1", "KeyToExclude2"} }</code>
|
|
249
253
|
* </p>
|
|
250
254
|
*/
|
|
251
255
|
export interface HeaderMatchPattern {
|
|
@@ -254,11 +258,13 @@ export interface HeaderMatchPattern {
|
|
|
254
258
|
*/
|
|
255
259
|
All?: All;
|
|
256
260
|
/**
|
|
257
|
-
* <p>Inspect only the headers that have a key that matches one of the strings specified here.
|
|
261
|
+
* <p>Inspect only the headers that have a key that matches one of the strings specified here.
|
|
262
|
+
* </p>
|
|
258
263
|
*/
|
|
259
264
|
IncludedHeaders?: string[];
|
|
260
265
|
/**
|
|
261
|
-
* <p>Inspect only the headers whose keys don't match any of the strings specified here.
|
|
266
|
+
* <p>Inspect only the headers whose keys don't match any of the strings specified here.
|
|
267
|
+
* </p>
|
|
262
268
|
*/
|
|
263
269
|
ExcludedHeaders?: string[];
|
|
264
270
|
}
|
|
@@ -269,25 +275,28 @@ export declare namespace HeaderMatchPattern {
|
|
|
269
275
|
const filterSensitiveLog: (obj: HeaderMatchPattern) => any;
|
|
270
276
|
}
|
|
271
277
|
/**
|
|
272
|
-
* <p>Inspect
|
|
273
|
-
*
|
|
274
|
-
*
|
|
275
|
-
* <p>
|
|
276
|
-
*
|
|
277
|
-
*
|
|
278
|
+
* <p>Inspect all headers in the web request. You can specify the parts of the headers to
|
|
279
|
+
* inspect and you can narrow the set of headers to inspect by including or excluding specific
|
|
280
|
+
* keys.</p>
|
|
281
|
+
* <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p>
|
|
282
|
+
* <p>If you want to inspect just the value of a single header, use the
|
|
283
|
+
* <code>SingleHeader</code>
|
|
284
|
+
* <code>FieldToMatch</code> setting instead.</p>
|
|
285
|
+
* <p>Example JSON: <code>"Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY",
|
|
286
|
+
* "OversizeHandling": "MATCH" }</code>
|
|
278
287
|
* </p>
|
|
279
288
|
*/
|
|
280
289
|
export interface Headers {
|
|
281
290
|
/**
|
|
282
291
|
* <p>The filter to use to identify the subset of headers to inspect in a web request. </p>
|
|
283
292
|
* <p>You must specify exactly one setting: either <code>All</code>, <code>IncludedHeaders</code>, or <code>ExcludedHeaders</code>.</p>
|
|
284
|
-
* <p>Example JSON: <code>"
|
|
293
|
+
* <p>Example JSON: <code>"MatchPattern": { "ExcludedHeaders": {"KeyToExclude1", "KeyToExclude2"} }</code>
|
|
285
294
|
* </p>
|
|
286
295
|
*/
|
|
287
296
|
MatchPattern: HeaderMatchPattern | undefined;
|
|
288
297
|
/**
|
|
289
|
-
* <p>The parts of the headers to match with the rule inspection criteria. If you
|
|
290
|
-
*
|
|
298
|
+
* <p>The parts of the headers to match with the rule inspection criteria. If you specify
|
|
299
|
+
* <code>All</code>, WAF inspects both keys and values. </p>
|
|
291
300
|
*/
|
|
292
301
|
MatchScope: MapMatchScope | string | undefined;
|
|
293
302
|
/**
|
|
@@ -370,13 +379,13 @@ export declare enum JsonMatchScope {
|
|
|
370
379
|
/**
|
|
371
380
|
* <p>Inspect the body of the web request as JSON. The body immediately follows the request
|
|
372
381
|
* headers. </p>
|
|
373
|
-
*
|
|
382
|
+
* <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p>
|
|
374
383
|
* <p>Use the specifications in this object to indicate which parts of the JSON body to
|
|
375
384
|
* inspect using the rule's inspection criteria. WAF inspects only the parts of the JSON
|
|
376
|
-
* that result from the matches that you
|
|
377
|
-
* indicate.
|
|
385
|
+
* that result from the matches that you indicate.
|
|
378
386
|
* </p>
|
|
379
|
-
* <p>Example JSON: <code>"JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL"
|
|
387
|
+
* <p>Example JSON: <code>"JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL"
|
|
388
|
+
* }</code>
|
|
380
389
|
* </p>
|
|
381
390
|
*/
|
|
382
391
|
export interface JsonBody {
|
|
@@ -396,14 +405,14 @@ export interface JsonBody {
|
|
|
396
405
|
* <ul>
|
|
397
406
|
* <li>
|
|
398
407
|
* <p>
|
|
399
|
-
* <code>EVALUATE_AS_STRING</code> - Inspect the body as plain text. WAF
|
|
400
|
-
* the text transformations and inspection criteria that you defined for the
|
|
401
|
-
* inspection to the body text string.</p>
|
|
408
|
+
* <code>EVALUATE_AS_STRING</code> - Inspect the body as plain text. WAF
|
|
409
|
+
* applies the text transformations and inspection criteria that you defined for the
|
|
410
|
+
* JSON inspection to the body text string.</p>
|
|
402
411
|
* </li>
|
|
403
412
|
* <li>
|
|
404
413
|
* <p>
|
|
405
|
-
* <code>MATCH</code> - Treat the web request as matching the rule statement.
|
|
406
|
-
* applies the rule action to the request.</p>
|
|
414
|
+
* <code>MATCH</code> - Treat the web request as matching the rule statement.
|
|
415
|
+
* WAF applies the rule action to the request.</p>
|
|
407
416
|
* </li>
|
|
408
417
|
* <li>
|
|
409
418
|
* <p>
|
|
@@ -469,8 +478,9 @@ export declare namespace JsonBody {
|
|
|
469
478
|
const filterSensitiveLog: (obj: JsonBody) => any;
|
|
470
479
|
}
|
|
471
480
|
/**
|
|
472
|
-
* <p>Inspect the HTTP method of the web request. The method indicates the type of operation
|
|
473
|
-
*
|
|
481
|
+
* <p>Inspect the HTTP method of the web request. The method indicates the type of operation
|
|
482
|
+
* that the request is asking the origin to perform. </p>
|
|
483
|
+
* <p>This is used only in the <a>FieldToMatch</a> specification for some web request component types. </p>
|
|
474
484
|
* <p>JSON specification: <code>"Method": {}</code>
|
|
475
485
|
* </p>
|
|
476
486
|
*/
|
|
@@ -483,8 +493,9 @@ export declare namespace Method {
|
|
|
483
493
|
const filterSensitiveLog: (obj: Method) => any;
|
|
484
494
|
}
|
|
485
495
|
/**
|
|
486
|
-
* <p>Inspect the query string of the web request. This is the part of a URL that appears
|
|
487
|
-
*
|
|
496
|
+
* <p>Inspect the query string of the web request. This is the part of a URL that appears
|
|
497
|
+
* after a <code>?</code> character, if any.</p>
|
|
498
|
+
* <p>This is used only in the <a>FieldToMatch</a> specification for some web request component types. </p>
|
|
488
499
|
* <p>JSON specification: <code>"QueryString": {}</code>
|
|
489
500
|
* </p>
|
|
490
501
|
*/
|
|
@@ -499,8 +510,9 @@ export declare namespace QueryString {
|
|
|
499
510
|
/**
|
|
500
511
|
* <p>Inspect one of the headers in the web request, identified by name, for example,
|
|
501
512
|
* <code>User-Agent</code> or <code>Referer</code>. The name isn't case sensitive.</p>
|
|
502
|
-
* <p>You can filter and inspect all headers with the <code>FieldToMatch</code> setting
|
|
503
|
-
*
|
|
513
|
+
* <p>You can filter and inspect all headers with the <code>FieldToMatch</code> setting
|
|
514
|
+
* <code>Headers</code>.</p>
|
|
515
|
+
* <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p>
|
|
504
516
|
* <p>Example JSON: <code>"SingleHeader": { "Name": "haystack" }</code>
|
|
505
517
|
* </p>
|
|
506
518
|
*/
|
|
@@ -518,8 +530,9 @@ export declare namespace SingleHeader {
|
|
|
518
530
|
}
|
|
519
531
|
/**
|
|
520
532
|
* <p>Inspect one query argument in the web request, identified by name, for example
|
|
521
|
-
* <i>UserName</i> or <i>SalesRegion</i>. The name isn't case
|
|
522
|
-
*
|
|
533
|
+
* <i>UserName</i> or <i>SalesRegion</i>. The name isn't case
|
|
534
|
+
* sensitive. </p>
|
|
535
|
+
* <p>This is used to indicate the web request component to inspect, in the <a>FieldToMatch</a> specification. </p>
|
|
523
536
|
* <p>Example JSON: <code>"SingleQueryArgument": { "Name": "myArgument" }</code>
|
|
524
537
|
* </p>
|
|
525
538
|
*/
|
|
@@ -536,7 +549,8 @@ export declare namespace SingleQueryArgument {
|
|
|
536
549
|
const filterSensitiveLog: (obj: SingleQueryArgument) => any;
|
|
537
550
|
}
|
|
538
551
|
/**
|
|
539
|
-
* <p>Inspect the path component of the URI of the web request. This is the part of the web
|
|
552
|
+
* <p>Inspect the path component of the URI of the web request. This is the part of the web
|
|
553
|
+
* request that identifies a resource. For example, <code>/images/daily-ad.jpg</code>.</p>
|
|
540
554
|
* <p>This is used only in the <a>FieldToMatch</a> specification for some web request component types. </p>
|
|
541
555
|
* <p>JSON specification: <code>"UriPath": {}</code>
|
|
542
556
|
* </p>
|
|
@@ -550,14 +564,19 @@ export declare namespace UriPath {
|
|
|
550
564
|
const filterSensitiveLog: (obj: UriPath) => any;
|
|
551
565
|
}
|
|
552
566
|
/**
|
|
553
|
-
* <p>The part of the web request that you want WAF to inspect. Include the single
|
|
567
|
+
* <p>The part of the web request that you want WAF to inspect. Include the single
|
|
568
|
+
* <code>FieldToMatch</code> type that you want to inspect, with additional specifications
|
|
569
|
+
* as needed, according to the type. You specify a single request component in
|
|
570
|
+
* <code>FieldToMatch</code> for each rule statement that requires it. To inspect more than
|
|
571
|
+
* one component of the web request, create a separate rule statement for each
|
|
572
|
+
* component.</p>
|
|
554
573
|
* <p>Example JSON for a <code>QueryString</code> field to match: </p>
|
|
555
574
|
* <p>
|
|
556
|
-
* <code>
|
|
575
|
+
* <code> "FieldToMatch": { "QueryString": {} }</code>
|
|
557
576
|
* </p>
|
|
558
577
|
* <p>Example JSON for a <code>Method</code> field to match specification:</p>
|
|
559
578
|
* <p>
|
|
560
|
-
* <code>
|
|
579
|
+
* <code> "FieldToMatch": { "Method": { "Name": "DELETE" } }</code>
|
|
561
580
|
* </p>
|
|
562
581
|
*/
|
|
563
582
|
export interface FieldToMatch {
|
|
@@ -597,9 +616,9 @@ export interface FieldToMatch {
|
|
|
597
616
|
* <p>Inspect the request body as plain text. The request body immediately follows the request
|
|
598
617
|
* headers. This is the part of a request that contains any additional data that you want to
|
|
599
618
|
* send to your web server as the HTTP request body, such as data from a form. </p>
|
|
600
|
-
* <p>Only the first 8 KB (8192 bytes) of the request body are forwarded to
|
|
601
|
-
*
|
|
602
|
-
*
|
|
619
|
+
* <p>Only the first 8 KB (8192 bytes) of the request body are forwarded to WAF for
|
|
620
|
+
* inspection by the underlying host service. For information about how to handle oversized
|
|
621
|
+
* request bodies, see the <code>Body</code> object configuration. </p>
|
|
603
622
|
*/
|
|
604
623
|
Body?: Body;
|
|
605
624
|
/**
|
|
@@ -611,27 +630,31 @@ export interface FieldToMatch {
|
|
|
611
630
|
* <p>Inspect the request body as JSON. The request body immediately follows the request
|
|
612
631
|
* headers. This is the part of a request that contains any additional data that you want to
|
|
613
632
|
* send to your web server as the HTTP request body, such as data from a form. </p>
|
|
614
|
-
* <p>Only the first 8 KB (8192 bytes) of the request body are forwarded to
|
|
615
|
-
*
|
|
616
|
-
*
|
|
633
|
+
* <p>Only the first 8 KB (8192 bytes) of the request body are forwarded to WAF for
|
|
634
|
+
* inspection by the underlying host service. For information about how to handle oversized
|
|
635
|
+
* request bodies, see the <code>JsonBody</code> object configuration. </p>
|
|
617
636
|
*/
|
|
618
637
|
JsonBody?: JsonBody;
|
|
619
638
|
/**
|
|
620
|
-
* <p>Inspect the request headers. You must configure scope and pattern matching filters
|
|
621
|
-
*
|
|
622
|
-
*
|
|
623
|
-
*
|
|
624
|
-
*
|
|
625
|
-
*
|
|
639
|
+
* <p>Inspect the request headers. You must configure scope and pattern matching filters in
|
|
640
|
+
* the <code>Headers</code> object, to define the set of headers to and the parts of the
|
|
641
|
+
* headers that WAF inspects. </p>
|
|
642
|
+
* <p>Only the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers
|
|
643
|
+
* are forwarded to WAF for inspection by the underlying host service. You must
|
|
644
|
+
* configure how to handle any oversize header content in the <code>Headers</code> object.
|
|
645
|
+
* WAF applies the pattern matching filters to the headers that it receives from the
|
|
646
|
+
* underlying host service. </p>
|
|
626
647
|
*/
|
|
627
648
|
Headers?: Headers;
|
|
628
649
|
/**
|
|
629
|
-
* <p>Inspect the request cookies. You must configure scope and pattern matching filters
|
|
630
|
-
*
|
|
631
|
-
*
|
|
632
|
-
*
|
|
633
|
-
*
|
|
634
|
-
*
|
|
650
|
+
* <p>Inspect the request cookies. You must configure scope and pattern matching filters in
|
|
651
|
+
* the <code>Cookies</code> object, to define the set of cookies and the parts of the cookies
|
|
652
|
+
* that WAF inspects. </p>
|
|
653
|
+
* <p>Only the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies
|
|
654
|
+
* are forwarded to WAF for inspection by the underlying host service. You must
|
|
655
|
+
* configure how to handle any oversize cookie content in the <code>Cookies</code> object.
|
|
656
|
+
* WAF applies the pattern matching filters to the cookies that it receives from the
|
|
657
|
+
* underlying host service. </p>
|
|
635
658
|
*/
|
|
636
659
|
Cookies?: Cookies;
|
|
637
660
|
}
|
|
@@ -686,8 +709,8 @@ export interface TextTransformation {
|
|
|
686
709
|
/**
|
|
687
710
|
* <p>You can specify the following transformation types:</p>
|
|
688
711
|
* <p>
|
|
689
|
-
* <b>BASE64_DECODE</b> - Decode a
|
|
690
|
-
* string.</p>
|
|
712
|
+
* <b>BASE64_DECODE</b> - Decode a
|
|
713
|
+
* <code>Base64</code>-encoded string.</p>
|
|
691
714
|
* <p>
|
|
692
715
|
* <b>BASE64_DECODE_EXT</b> - Decode a
|
|
693
716
|
* <code>Base64</code>-encoded string, but use a forgiving implementation that ignores
|
|
@@ -716,7 +739,6 @@ export interface TextTransformation {
|
|
|
716
739
|
* <p>Convert uppercase letters (A-Z) to lowercase (a-z)</p>
|
|
717
740
|
* </li>
|
|
718
741
|
* </ul>
|
|
719
|
-
*
|
|
720
742
|
* <p>
|
|
721
743
|
* <b>COMPRESS_WHITE_SPACE</b> - Replace these characters
|
|
722
744
|
* with a space character (decimal 32): </p>
|
|
@@ -749,17 +771,20 @@ export interface TextTransformation {
|
|
|
749
771
|
* <code>COMPRESS_WHITE_SPACE</code> also replaces multiple spaces with one space.</p>
|
|
750
772
|
* <p>
|
|
751
773
|
* <b>CSS_DECODE</b> - Decode characters that were encoded
|
|
752
|
-
* using CSS 2.x escape rules <code>syndata.html#characters</code>. This function uses up to
|
|
753
|
-
* the decoding process, so it can help to uncover ASCII characters that were
|
|
754
|
-
* CSS encoding that wouldn’t typically be encoded. It's also useful in
|
|
755
|
-
* which is a combination of a backslash and non-hexadecimal characters.
|
|
756
|
-
* <code>ja\vascript</code> for javascript. </p>
|
|
774
|
+
* using CSS 2.x escape rules <code>syndata.html#characters</code>. This function uses up to
|
|
775
|
+
* two bytes in the decoding process, so it can help to uncover ASCII characters that were
|
|
776
|
+
* encoded using CSS encoding that wouldn’t typically be encoded. It's also useful in
|
|
777
|
+
* countering evasion, which is a combination of a backslash and non-hexadecimal characters.
|
|
778
|
+
* For example, <code>ja\vascript</code> for javascript. </p>
|
|
757
779
|
* <p>
|
|
758
|
-
* <b>ESCAPE_SEQ_DECODE</b> - Decode the following ANSI C
|
|
759
|
-
* <code>\a</code>, <code>\b</code>, <code>\f</code>, <code>\n</code>,
|
|
760
|
-
*
|
|
780
|
+
* <b>ESCAPE_SEQ_DECODE</b> - Decode the following ANSI C
|
|
781
|
+
* escape sequences: <code>\a</code>, <code>\b</code>, <code>\f</code>, <code>\n</code>,
|
|
782
|
+
* <code>\r</code>, <code>\t</code>, <code>\v</code>, <code>\\</code>, <code>\?</code>,
|
|
783
|
+
* <code>\'</code>, <code>\"</code>, <code>\xHH</code> (hexadecimal), <code>\0OOO</code>
|
|
784
|
+
* (octal). Encodings that aren't valid remain in the output. </p>
|
|
761
785
|
* <p>
|
|
762
|
-
* <b>HEX_DECODE</b> - Decode a string of hexadecimal
|
|
786
|
+
* <b>HEX_DECODE</b> - Decode a string of hexadecimal
|
|
787
|
+
* characters into a binary.</p>
|
|
763
788
|
* <p>
|
|
764
789
|
* <b>HTML_ENTITY_DECODE</b> - Replace HTML-encoded
|
|
765
790
|
* characters with unencoded characters. <code>HTML_ENTITY_DECODE</code> performs these
|
|
@@ -770,7 +795,8 @@ export interface TextTransformation {
|
|
|
770
795
|
* </p>
|
|
771
796
|
* </li>
|
|
772
797
|
* <li>
|
|
773
|
-
* <p>Replaces <code>(ampersand)nbsp;</code> with a non-breaking space, decimal
|
|
798
|
+
* <p>Replaces <code>(ampersand)nbsp;</code> with a non-breaking space, decimal
|
|
799
|
+
* 160</p>
|
|
774
800
|
* </li>
|
|
775
801
|
* <li>
|
|
776
802
|
* <p>Replaces <code>(ampersand)lt;</code> with a "less than" symbol</p>
|
|
@@ -780,19 +806,22 @@ export interface TextTransformation {
|
|
|
780
806
|
* </p>
|
|
781
807
|
* </li>
|
|
782
808
|
* <li>
|
|
783
|
-
* <p>Replaces characters that are represented in hexadecimal format,
|
|
809
|
+
* <p>Replaces characters that are represented in hexadecimal format,
|
|
810
|
+
* <code>(ampersand)#xhhhh;</code>, with the corresponding characters</p>
|
|
784
811
|
* </li>
|
|
785
812
|
* <li>
|
|
786
|
-
* <p>Replaces characters that are represented in decimal format,
|
|
787
|
-
*
|
|
813
|
+
* <p>Replaces characters that are represented in decimal format,
|
|
814
|
+
* <code>(ampersand)#nnnn;</code>, with the corresponding characters</p>
|
|
788
815
|
* </li>
|
|
789
816
|
* </ul>
|
|
790
817
|
* <p>
|
|
791
818
|
* <b>JS_DECODE</b> - Decode JavaScript escape sequences. If
|
|
792
|
-
* a
|
|
819
|
+
* a
|
|
820
|
+
* <code>\</code>
|
|
793
821
|
* <code>u</code>
|
|
794
|
-
* <code>HHHH</code>
|
|
795
|
-
*
|
|
822
|
+
* <code>HHHH</code>
|
|
823
|
+
* code is in the full-width ASCII code range of <code>FF01-FF5E</code>, then the higher byte
|
|
824
|
+
* is used to detect and adjust the lower byte. If not, only the lower byte is used and the
|
|
796
825
|
* higher byte is zeroed, causing a possible loss of information. </p>
|
|
797
826
|
* <p>
|
|
798
827
|
* <b>LOWERCASE</b> - Convert uppercase letters (A-Z) to
|
|
@@ -801,35 +830,37 @@ export interface TextTransformation {
|
|
|
801
830
|
* <b>MD5</b> - Calculate an MD5 hash from the data in the
|
|
802
831
|
* input. The computed hash is in a raw binary form. </p>
|
|
803
832
|
* <p>
|
|
804
|
-
* <b>NONE</b> - Specify <code>NONE</code> if you don't want
|
|
805
|
-
*
|
|
833
|
+
* <b>NONE</b> - Specify <code>NONE</code> if you don't want
|
|
834
|
+
* any text transformations. </p>
|
|
806
835
|
* <p>
|
|
807
836
|
* <b>NORMALIZE_PATH</b> - Remove multiple slashes, directory
|
|
808
837
|
* self-references, and directory back-references that are not at the beginning of the input
|
|
809
838
|
* from an input string. </p>
|
|
810
839
|
* <p>
|
|
811
840
|
* <b>NORMALIZE_PATH_WIN</b> - This is the same as
|
|
812
|
-
*
|
|
841
|
+
* <code>NORMALIZE_PATH</code>, but first converts backslash characters to forward slashes. </p>
|
|
813
842
|
* <p>
|
|
814
843
|
* <b>REMOVE_NULLS</b> - Remove all <code>NULL</code> bytes
|
|
815
844
|
* from the input. </p>
|
|
816
845
|
* <p>
|
|
817
846
|
* <b>REPLACE_COMMENTS</b> - Replace each occurrence of a
|
|
818
|
-
* C-style comment (<code>/* ... *\/</code>) with a single space. Multiple consecutive
|
|
819
|
-
* compressed. Unterminated comments are also replaced with a space (ASCII
|
|
820
|
-
* standalone termination of a comment (<code>*\/</code>) is not acted upon. </p>
|
|
847
|
+
* C-style comment (<code>/* ... *\/</code>) with a single space. Multiple consecutive
|
|
848
|
+
* occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII
|
|
849
|
+
* 0x20). However, a standalone termination of a comment (<code>*\/</code>) is not acted upon. </p>
|
|
821
850
|
* <p>
|
|
822
851
|
* <b>REPLACE_NULLS</b> - Replace NULL bytes in the input
|
|
823
852
|
* with space characters (ASCII <code>0x20</code>). </p>
|
|
824
853
|
* <p>
|
|
825
|
-
* <b>SQL_HEX_DECODE</b> - Decode SQL hex data. Example
|
|
854
|
+
* <b>SQL_HEX_DECODE</b> - Decode SQL hex data. Example
|
|
855
|
+
* (<code>0x414243</code>) will be decoded to (<code>ABC</code>).</p>
|
|
826
856
|
* <p>
|
|
827
857
|
* <b>URL_DECODE</b> - Decode a URL-encoded value. </p>
|
|
828
858
|
* <p>
|
|
829
|
-
* <b>URL_DECODE_UNI</b> - Like <code>URL_DECODE</code>, but
|
|
830
|
-
* for Microsoft-specific <code>%u</code> encoding. If the code is in the
|
|
831
|
-
* <code>FF01-FF5E</code>, the higher byte is used to detect
|
|
832
|
-
* lower byte is used and the higher byte is
|
|
859
|
+
* <b>URL_DECODE_UNI</b> - Like <code>URL_DECODE</code>, but
|
|
860
|
+
* with support for Microsoft-specific <code>%u</code> encoding. If the code is in the
|
|
861
|
+
* full-width ASCII code range of <code>FF01-FF5E</code>, the higher byte is used to detect
|
|
862
|
+
* and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is
|
|
863
|
+
* zeroed. </p>
|
|
833
864
|
* <p>
|
|
834
865
|
* <b>UTF8_TO_UNICODE</b> - Convert all UTF-8 character
|
|
835
866
|
* sequences to Unicode. This helps input normalization, and minimizing false-positives and
|
|
@@ -844,7 +875,7 @@ export declare namespace TextTransformation {
|
|
|
844
875
|
const filterSensitiveLog: (obj: TextTransformation) => any;
|
|
845
876
|
}
|
|
846
877
|
/**
|
|
847
|
-
* <p>A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is
|
|
878
|
+
* <p>A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is called a string match statement.</p>
|
|
848
879
|
*/
|
|
849
880
|
export interface ByteMatchStatement {
|
|
850
881
|
/**
|
|
@@ -885,7 +916,7 @@ export interface ByteMatchStatement {
|
|
|
885
916
|
*/
|
|
886
917
|
SearchString: Uint8Array | undefined;
|
|
887
918
|
/**
|
|
888
|
-
* <p>The part of the web request that you want WAF to inspect.
|
|
919
|
+
* <p>The part of the web request that you want WAF to inspect. </p>
|
|
889
920
|
*/
|
|
890
921
|
FieldToMatch: FieldToMatch | undefined;
|
|
891
922
|
/**
|
|
@@ -1415,9 +1446,10 @@ export declare namespace LabelMatchStatement {
|
|
|
1415
1446
|
const filterSensitiveLog: (obj: LabelMatchStatement) => any;
|
|
1416
1447
|
}
|
|
1417
1448
|
/**
|
|
1418
|
-
* <p>Specifies a single rule in a rule group whose action you want to override to
|
|
1419
|
-
*
|
|
1420
|
-
*
|
|
1449
|
+
* <p>Specifies a single rule in a rule group whose action you want to override to
|
|
1450
|
+
* <code>Count</code>. When you exclude a rule, WAF evaluates it exactly as it would if
|
|
1451
|
+
* the rule action setting were <code>Count</code>. This is a useful option for testing the
|
|
1452
|
+
* rules in a rule group without modifying how they handle your web traffic. </p>
|
|
1421
1453
|
*/
|
|
1422
1454
|
export interface ExcludedRule {
|
|
1423
1455
|
/**
|
|
@@ -1432,7 +1464,8 @@ export declare namespace ExcludedRule {
|
|
|
1432
1464
|
const filterSensitiveLog: (obj: ExcludedRule) => any;
|
|
1433
1465
|
}
|
|
1434
1466
|
/**
|
|
1435
|
-
* <p>Details about your login page password field, used in a
|
|
1467
|
+
* <p>Details about your login page password field, used in a
|
|
1468
|
+
* <code>ManagedRuleGroupConfig</code>. </p>
|
|
1436
1469
|
*/
|
|
1437
1470
|
export interface PasswordField {
|
|
1438
1471
|
/**
|
|
@@ -1451,7 +1484,8 @@ export declare enum PayloadType {
|
|
|
1451
1484
|
JSON = "JSON"
|
|
1452
1485
|
}
|
|
1453
1486
|
/**
|
|
1454
|
-
* <p>Details about your login page username field, used in a
|
|
1487
|
+
* <p>Details about your login page username field, used in a
|
|
1488
|
+
* <code>ManagedRuleGroupConfig</code>. </p>
|
|
1455
1489
|
*/
|
|
1456
1490
|
export interface UsernameField {
|
|
1457
1491
|
/**
|
|
@@ -1473,7 +1507,9 @@ export declare namespace UsernameField {
|
|
|
1473
1507
|
*/
|
|
1474
1508
|
export interface ManagedRuleGroupConfig {
|
|
1475
1509
|
/**
|
|
1476
|
-
* <p>The path of the login endpoint for your application. For example, for the URL
|
|
1510
|
+
* <p>The path of the login endpoint for your application. For example, for the URL
|
|
1511
|
+
* <code>https://example.com/web/login</code>, you would provide the path
|
|
1512
|
+
* <code>/web/login</code>.</p>
|
|
1477
1513
|
*/
|
|
1478
1514
|
LoginPath?: string;
|
|
1479
1515
|
/**
|
|
@@ -1508,7 +1544,7 @@ export interface RegexMatchStatement {
|
|
|
1508
1544
|
*/
|
|
1509
1545
|
RegexString: string | undefined;
|
|
1510
1546
|
/**
|
|
1511
|
-
* <p>The part of the web request that you want WAF to inspect.
|
|
1547
|
+
* <p>The part of the web request that you want WAF to inspect. </p>
|
|
1512
1548
|
*/
|
|
1513
1549
|
FieldToMatch: FieldToMatch | undefined;
|
|
1514
1550
|
/**
|
|
@@ -1535,7 +1571,7 @@ export interface RegexPatternSetReferenceStatement {
|
|
|
1535
1571
|
*/
|
|
1536
1572
|
ARN: string | undefined;
|
|
1537
1573
|
/**
|
|
1538
|
-
* <p>The part of the web request that you want WAF to inspect.
|
|
1574
|
+
* <p>The part of the web request that you want WAF to inspect. </p>
|
|
1539
1575
|
*/
|
|
1540
1576
|
FieldToMatch: FieldToMatch | undefined;
|
|
1541
1577
|
/**
|
|
@@ -1562,9 +1598,10 @@ export interface RuleGroupReferenceStatement {
|
|
|
1562
1598
|
*/
|
|
1563
1599
|
ARN: string | undefined;
|
|
1564
1600
|
/**
|
|
1565
|
-
* <p>The rules in the referenced rule group whose actions are set to <code>Count</code>.
|
|
1566
|
-
*
|
|
1567
|
-
*
|
|
1601
|
+
* <p>The rules in the referenced rule group whose actions are set to <code>Count</code>. When
|
|
1602
|
+
* you exclude a rule, WAF evaluates it exactly as it would if the rule action setting were
|
|
1603
|
+
* <code>Count</code>. This is a useful option for testing the rules in a rule group
|
|
1604
|
+
* without modifying how they handle your web traffic.</p>
|
|
1568
1605
|
*/
|
|
1569
1606
|
ExcludedRules?: ExcludedRule[];
|
|
1570
1607
|
}
|
|
@@ -1584,12 +1621,12 @@ export declare enum ComparisonOperator {
|
|
|
1584
1621
|
}
|
|
1585
1622
|
/**
|
|
1586
1623
|
* <p>A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. </p>
|
|
1587
|
-
* <p>If you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you
|
|
1624
|
+
* <p>If you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.</p>
|
|
1588
1625
|
* <p>If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI <code>/logo.jpg</code> is nine characters long.</p>
|
|
1589
1626
|
*/
|
|
1590
1627
|
export interface SizeConstraintStatement {
|
|
1591
1628
|
/**
|
|
1592
|
-
* <p>The part of the web request that you want WAF to inspect.
|
|
1629
|
+
* <p>The part of the web request that you want WAF to inspect. </p>
|
|
1593
1630
|
*/
|
|
1594
1631
|
FieldToMatch: FieldToMatch | undefined;
|
|
1595
1632
|
/**
|
|
@@ -1613,12 +1650,16 @@ export declare namespace SizeConstraintStatement {
|
|
|
1613
1650
|
*/
|
|
1614
1651
|
const filterSensitiveLog: (obj: SizeConstraintStatement) => any;
|
|
1615
1652
|
}
|
|
1653
|
+
export declare enum SensitivityLevel {
|
|
1654
|
+
HIGH = "HIGH",
|
|
1655
|
+
LOW = "LOW"
|
|
1656
|
+
}
|
|
1616
1657
|
/**
|
|
1617
|
-
* <p>
|
|
1658
|
+
* <p>A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it. </p>
|
|
1618
1659
|
*/
|
|
1619
1660
|
export interface SqliMatchStatement {
|
|
1620
1661
|
/**
|
|
1621
|
-
* <p>The part of the web request that you want WAF to inspect.
|
|
1662
|
+
* <p>The part of the web request that you want WAF to inspect. </p>
|
|
1622
1663
|
*/
|
|
1623
1664
|
FieldToMatch: FieldToMatch | undefined;
|
|
1624
1665
|
/**
|
|
@@ -1627,6 +1668,21 @@ export interface SqliMatchStatement {
|
|
|
1627
1668
|
* content of the request component identified by <code>FieldToMatch</code>, starting from the lowest priority setting, before inspecting the content for a match.</p>
|
|
1628
1669
|
*/
|
|
1629
1670
|
TextTransformations: TextTransformation[] | undefined;
|
|
1671
|
+
/**
|
|
1672
|
+
* <p>The sensitivity that you want WAF to use to inspect for SQL injection attacks. </p>
|
|
1673
|
+
* <p>
|
|
1674
|
+
* <code>HIGH</code> detects more attacks, but might generate more false positives,
|
|
1675
|
+
* especially if your web requests frequently contain unusual strings.
|
|
1676
|
+
* For information about identifying and mitigating false positives, see
|
|
1677
|
+
* <a href="https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing.html">Testing and tuning</a> in the
|
|
1678
|
+
* <i>WAF Developer Guide</i>.</p>
|
|
1679
|
+
* <p>
|
|
1680
|
+
* <code>LOW</code> is generally a better choice for resources that already have other
|
|
1681
|
+
* protections against SQL injection attacks or that have a low tolerance for false positives. </p>
|
|
1682
|
+
* <p>Default: <code>LOW</code>
|
|
1683
|
+
* </p>
|
|
1684
|
+
*/
|
|
1685
|
+
SensitivityLevel?: SensitivityLevel | string;
|
|
1630
1686
|
}
|
|
1631
1687
|
export declare namespace SqliMatchStatement {
|
|
1632
1688
|
/**
|
|
@@ -1635,15 +1691,12 @@ export declare namespace SqliMatchStatement {
|
|
|
1635
1691
|
const filterSensitiveLog: (obj: SqliMatchStatement) => any;
|
|
1636
1692
|
}
|
|
1637
1693
|
/**
|
|
1638
|
-
* <p>A rule statement that
|
|
1639
|
-
*
|
|
1640
|
-
* client-site scripts into other legitimate web browsers.
|
|
1641
|
-
* The XSS match statement provides the location in requests that you want WAF to search and text transformations
|
|
1642
|
-
* to use on the search area before WAF searches for character sequences that are likely to be malicious strings. </p>
|
|
1694
|
+
* <p>A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker
|
|
1695
|
+
* uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers. </p>
|
|
1643
1696
|
*/
|
|
1644
1697
|
export interface XssMatchStatement {
|
|
1645
1698
|
/**
|
|
1646
|
-
* <p>The part of the web request that you want WAF to inspect.
|
|
1699
|
+
* <p>The part of the web request that you want WAF to inspect. </p>
|
|
1647
1700
|
*/
|
|
1648
1701
|
FieldToMatch: FieldToMatch | undefined;
|
|
1649
1702
|
/**
|
|
@@ -1809,7 +1862,8 @@ export declare enum ParameterExceptionField {
|
|
|
1809
1862
|
* isn't among the types available at <a>DefaultAction</a>.</p>
|
|
1810
1863
|
* </li>
|
|
1811
1864
|
* <li>
|
|
1812
|
-
* <p>Your request references an ARN that is malformed, or corresponds to a resource
|
|
1865
|
+
* <p>Your request references an ARN that is malformed, or corresponds to a resource
|
|
1866
|
+
* with which a web ACL can't be associated.</p>
|
|
1813
1867
|
* </li>
|
|
1814
1868
|
* </ul>
|
|
1815
1869
|
*/
|
|
@@ -1846,7 +1900,9 @@ export declare class WAFNonexistentItemException extends __BaseException {
|
|
|
1846
1900
|
constructor(opts: __ExceptionOptionType<WAFNonexistentItemException, __BaseException>);
|
|
1847
1901
|
}
|
|
1848
1902
|
/**
|
|
1849
|
-
* <p>WAF couldn’t retrieve a resource that you specified for this operation. Verify the
|
|
1903
|
+
* <p>WAF couldn’t retrieve a resource that you specified for this operation. Verify the
|
|
1904
|
+
* resources that you are specifying in your request parameters and then retry the
|
|
1905
|
+
* operation.</p>
|
|
1850
1906
|
*/
|
|
1851
1907
|
export declare class WAFUnavailableEntityException extends __BaseException {
|
|
1852
1908
|
readonly name: "WAFUnavailableEntityException";
|
|
@@ -1866,7 +1922,7 @@ export declare class WAFUnavailableEntityException extends __BaseException {
|
|
|
1866
1922
|
export interface CustomResponse {
|
|
1867
1923
|
/**
|
|
1868
1924
|
* <p>The HTTP status code to return to the client. </p>
|
|
1869
|
-
* <p>For a list of status codes that you can use in your custom
|
|
1925
|
+
* <p>For a list of status codes that you can use in your custom responses, see <a href="https://docs.aws.amazon.com/waf/latest/developerguide/customizing-the-response-status-codes.html">Supported status codes for custom response</a> in the
|
|
1870
1926
|
* <a href="https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html">WAF Developer Guide</a>. </p>
|
|
1871
1927
|
*/
|
|
1872
1928
|
ResponseCode: number | undefined;
|
|
@@ -1940,7 +1996,6 @@ export declare namespace BlockAction {
|
|
|
1940
1996
|
* in the <code>CaptchaConfig</code>
|
|
1941
1997
|
* <code>ImmunityTimeProperty</code> setting at the rule and web ACL level. The rule setting overrides the web ACL setting. </p>
|
|
1942
1998
|
* <p>This action option is available for rules. It isn't available for web ACL default actions. </p>
|
|
1943
|
-
* <p>This is used in the context of other settings, for example to specify values for <a>RuleAction</a> and web ACL <a>DefaultAction</a>. </p>
|
|
1944
1999
|
*/
|
|
1945
2000
|
export interface CaptchaAction {
|
|
1946
2001
|
/**
|
|
@@ -2004,11 +2059,13 @@ export declare namespace RuleAction {
|
|
|
2004
2059
|
const filterSensitiveLog: (obj: RuleAction) => any;
|
|
2005
2060
|
}
|
|
2006
2061
|
/**
|
|
2007
|
-
* <p>Determines how long a <code>CAPTCHA</code> token remains valid after the client
|
|
2062
|
+
* <p>Determines how long a <code>CAPTCHA</code> token remains valid after the client
|
|
2063
|
+
* successfully solves a <code>CAPTCHA</code> puzzle. </p>
|
|
2008
2064
|
*/
|
|
2009
2065
|
export interface ImmunityTimeProperty {
|
|
2010
2066
|
/**
|
|
2011
|
-
* <p>The amount of time, in seconds, that a <code>CAPTCHA</code> token is valid. The default
|
|
2067
|
+
* <p>The amount of time, in seconds, that a <code>CAPTCHA</code> token is valid. The default
|
|
2068
|
+
* setting is 300.</p>
|
|
2012
2069
|
*/
|
|
2013
2070
|
ImmunityTime: number | undefined;
|
|
2014
2071
|
}
|
|
@@ -2019,11 +2076,13 @@ export declare namespace ImmunityTimeProperty {
|
|
|
2019
2076
|
const filterSensitiveLog: (obj: ImmunityTimeProperty) => any;
|
|
2020
2077
|
}
|
|
2021
2078
|
/**
|
|
2022
|
-
* <p>Specifies how WAF should handle <code>CAPTCHA</code> evaluations. This is
|
|
2079
|
+
* <p>Specifies how WAF should handle <code>CAPTCHA</code> evaluations. This is
|
|
2080
|
+
* available at the web ACL level and in each rule. </p>
|
|
2023
2081
|
*/
|
|
2024
2082
|
export interface CaptchaConfig {
|
|
2025
2083
|
/**
|
|
2026
|
-
* <p>Determines how long a <code>CAPTCHA</code> token remains valid after the client
|
|
2084
|
+
* <p>Determines how long a <code>CAPTCHA</code> token remains valid after the client
|
|
2085
|
+
* successfully solves a <code>CAPTCHA</code> puzzle. </p>
|
|
2027
2086
|
*/
|
|
2028
2087
|
ImmunityTimeProperty?: ImmunityTimeProperty;
|
|
2029
2088
|
}
|
|
@@ -2034,8 +2093,9 @@ export declare namespace CaptchaConfig {
|
|
|
2034
2093
|
const filterSensitiveLog: (obj: CaptchaConfig) => any;
|
|
2035
2094
|
}
|
|
2036
2095
|
/**
|
|
2037
|
-
* <p>Specifies that WAF should do nothing. This is used for the
|
|
2038
|
-
*
|
|
2096
|
+
* <p>Specifies that WAF should do nothing. This is used for the
|
|
2097
|
+
* <code>OverrideAction</code> setting on a <a>Rule</a> when the rule uses a
|
|
2098
|
+
* rule group reference statement. </p>
|
|
2039
2099
|
* <p>This is used in the context of other settings, for example to specify values for <a>RuleAction</a> and web ACL <a>DefaultAction</a>. </p>
|
|
2040
2100
|
* <p>JSON specification: <code>"None": {}</code>
|
|
2041
2101
|
* </p>
|
|
@@ -2111,8 +2171,8 @@ export interface VisibilityConfig {
|
|
|
2111
2171
|
/**
|
|
2112
2172
|
* <p>A name of the Amazon CloudWatch metric. The name can contain only the characters: A-Z, a-z, 0-9,
|
|
2113
2173
|
* - (hyphen), and _ (underscore). The name can be from one to 128 characters long. It can't
|
|
2114
|
-
*
|
|
2115
|
-
*
|
|
2174
|
+
* contain whitespace or metric names reserved for WAF, for example <code>All</code> and
|
|
2175
|
+
* <code>Default_Action</code>. </p>
|
|
2116
2176
|
*/
|
|
2117
2177
|
MetricName: string | undefined;
|
|
2118
2178
|
}
|
|
@@ -2388,7 +2448,7 @@ export declare class WAFTagOperationException extends __BaseException {
|
|
|
2388
2448
|
}
|
|
2389
2449
|
/**
|
|
2390
2450
|
* <p>WAF couldn’t perform your tagging operation because of an internal error. Retry
|
|
2391
|
-
*
|
|
2451
|
+
* your request.</p>
|
|
2392
2452
|
*/
|
|
2393
2453
|
export declare class WAFTagOperationInternalErrorException extends __BaseException {
|
|
2394
2454
|
readonly name: "WAFTagOperationInternalErrorException";
|
|
@@ -2633,12 +2693,17 @@ export declare namespace CreateWebACLResponse {
|
|
|
2633
2693
|
const filterSensitiveLog: (obj: CreateWebACLResponse) => any;
|
|
2634
2694
|
}
|
|
2635
2695
|
/**
|
|
2636
|
-
* <p>The operation failed because you are inspecting the web request body, headers, or
|
|
2637
|
-
*
|
|
2638
|
-
*
|
|
2639
|
-
*
|
|
2696
|
+
* <p>The operation failed because you are inspecting the web request body, headers, or
|
|
2697
|
+
* cookies without specifying how to handle oversize components. Rules that inspect the body
|
|
2698
|
+
* must either provide an <code>OversizeHandling</code> configuration or they must be preceded
|
|
2699
|
+
* by a <code>SizeConstraintStatement</code> that blocks the body content from being too
|
|
2700
|
+
* large. Rules that inspect the headers or cookies must provide an
|
|
2701
|
+
* <code>OversizeHandling</code> configuration. </p>
|
|
2640
2702
|
* <p>Provide the handling configuration and retry your operation.</p>
|
|
2641
|
-
* <p>Alternately, you can suppress this warning by adding the following tag to the resource
|
|
2703
|
+
* <p>Alternately, you can suppress this warning by adding the following tag to the resource
|
|
2704
|
+
* that you provide to this operation: <code>Tag</code>
|
|
2705
|
+
* (key:<code>WAF:OversizeFieldsHandlingConstraintOptOut</code>,
|
|
2706
|
+
* value:<code>true</code>).</p>
|
|
2642
2707
|
*/
|
|
2643
2708
|
export declare class WAFConfigurationWarningException extends __BaseException {
|
|
2644
2709
|
readonly name: "WAFConfigurationWarningException";
|
|
@@ -2719,9 +2784,11 @@ export declare namespace DeleteIPSetResponse {
|
|
|
2719
2784
|
const filterSensitiveLog: (obj: DeleteIPSetResponse) => any;
|
|
2720
2785
|
}
|
|
2721
2786
|
/**
|
|
2722
|
-
* <p>WAF couldn’t perform the operation because your resource is being used by another
|
|
2723
|
-
*
|
|
2724
|
-
*
|
|
2787
|
+
* <p>WAF couldn’t perform the operation because your resource is being used by another
|
|
2788
|
+
* resource or it’s associated with another resource. </p>
|
|
2789
|
+
* <p>For <code>DeleteWebACL</code>, you will only get this exception if the web ACL is still
|
|
2790
|
+
* associated with a regional resource. Deleting a web ACL that is still associated with an
|
|
2791
|
+
* Amazon CloudFront distribution won't get this exception. </p>
|
|
2725
2792
|
*/
|
|
2726
2793
|
export declare class WAFAssociatedItemException extends __BaseException {
|
|
2727
2794
|
readonly name: "WAFAssociatedItemException";
|
|
@@ -2734,8 +2801,7 @@ export declare class WAFAssociatedItemException extends __BaseException {
|
|
|
2734
2801
|
}
|
|
2735
2802
|
export interface DeleteLoggingConfigurationRequest {
|
|
2736
2803
|
/**
|
|
2737
|
-
* <p>The Amazon Resource Name (ARN) of the web ACL from which you want to delete the
|
|
2738
|
-
* <a>LoggingConfiguration</a>.</p>
|
|
2804
|
+
* <p>The Amazon Resource Name (ARN) of the web ACL from which you want to delete the <a>LoggingConfiguration</a>.</p>
|
|
2739
2805
|
*/
|
|
2740
2806
|
ResourceArn: string | undefined;
|
|
2741
2807
|
}
|
|
@@ -2921,9 +2987,8 @@ export interface DescribeManagedRuleGroupRequest {
|
|
|
2921
2987
|
*/
|
|
2922
2988
|
Scope: Scope | string | undefined;
|
|
2923
2989
|
/**
|
|
2924
|
-
* <p>The version of the rule group. You can only use a version that is not
|
|
2925
|
-
*
|
|
2926
|
-
* </p>
|
|
2990
|
+
* <p>The version of the rule group. You can only use a version that is not scheduled for
|
|
2991
|
+
* expiration. If you don't provide this, WAF uses the vendor's default version. </p>
|
|
2927
2992
|
*/
|
|
2928
2993
|
VersionName?: string;
|
|
2929
2994
|
}
|
|
@@ -3088,7 +3153,8 @@ export interface GenerateMobileSdkReleaseUrlRequest {
|
|
|
3088
3153
|
*/
|
|
3089
3154
|
Platform: Platform | string | undefined;
|
|
3090
3155
|
/**
|
|
3091
|
-
* <p>The release version. For the latest available version, specify
|
|
3156
|
+
* <p>The release version. For the latest available version, specify
|
|
3157
|
+
* <code>LATEST</code>.</p>
|
|
3092
3158
|
*/
|
|
3093
3159
|
ReleaseVersion: string | undefined;
|
|
3094
3160
|
}
|
|
@@ -3232,8 +3298,7 @@ export declare namespace GetIPSetResponse {
|
|
|
3232
3298
|
}
|
|
3233
3299
|
export interface GetLoggingConfigurationRequest {
|
|
3234
3300
|
/**
|
|
3235
|
-
* <p>The Amazon Resource Name (ARN) of the web ACL for which you want to get the
|
|
3236
|
-
* <a>LoggingConfiguration</a>.</p>
|
|
3301
|
+
* <p>The Amazon Resource Name (ARN) of the web ACL for which you want to get the <a>LoggingConfiguration</a>.</p>
|
|
3237
3302
|
*/
|
|
3238
3303
|
ResourceArn: string | undefined;
|
|
3239
3304
|
}
|
|
@@ -3269,11 +3334,12 @@ export declare namespace LabelNameCondition {
|
|
|
3269
3334
|
*/
|
|
3270
3335
|
export interface Condition {
|
|
3271
3336
|
/**
|
|
3272
|
-
* <p>A single action condition.</p>
|
|
3337
|
+
* <p>A single action condition. This is the action setting that a log record must contain in order to meet the condition.</p>
|
|
3273
3338
|
*/
|
|
3274
3339
|
ActionCondition?: ActionCondition;
|
|
3275
3340
|
/**
|
|
3276
|
-
* <p>A single label name condition
|
|
3341
|
+
* <p>A single label name condition. This is the fully qualified label name that a log record must contain in order to meet the condition.
|
|
3342
|
+
* Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. </p>
|
|
3277
3343
|
*/
|
|
3278
3344
|
LabelNameCondition?: LabelNameCondition;
|
|
3279
3345
|
}
|
|
@@ -3335,10 +3401,10 @@ export declare namespace LoggingFilter {
|
|
|
3335
3401
|
const filterSensitiveLog: (obj: LoggingFilter) => any;
|
|
3336
3402
|
}
|
|
3337
3403
|
/**
|
|
3338
|
-
* <p>Defines an association between logging destinations and a web ACL
|
|
3339
|
-
*
|
|
3340
|
-
*
|
|
3341
|
-
*
|
|
3404
|
+
* <p>Defines an association between logging destinations and a web ACL resource, for logging
|
|
3405
|
+
* from WAF. As part of the association, you can specify parts of the standard logging
|
|
3406
|
+
* fields to keep out of the logs and you can specify filters so that you log only a subset of
|
|
3407
|
+
* the logging records. </p>
|
|
3342
3408
|
* <note>
|
|
3343
3409
|
* <p>You can define one logging destination per web ACL.</p>
|
|
3344
3410
|
* </note>
|
|
@@ -3371,18 +3437,21 @@ export interface LoggingConfiguration {
|
|
|
3371
3437
|
*/
|
|
3372
3438
|
ResourceArn: string | undefined;
|
|
3373
3439
|
/**
|
|
3374
|
-
* <p>The logging destination configuration that you want to associate
|
|
3375
|
-
*
|
|
3440
|
+
* <p>The logging destination configuration that you want to associate with the web
|
|
3441
|
+
* ACL.</p>
|
|
3376
3442
|
* <note>
|
|
3377
3443
|
* <p>You can associate one logging destination to a web ACL.</p>
|
|
3378
3444
|
* </note>
|
|
3379
3445
|
*/
|
|
3380
3446
|
LogDestinationConfigs: string[] | undefined;
|
|
3381
3447
|
/**
|
|
3382
|
-
* <p>The parts of the request that you want to keep out of the logs. For
|
|
3383
|
-
*
|
|
3448
|
+
* <p>The parts of the request that you want to keep out of the logs. For example, if you
|
|
3449
|
+
* redact the <code>SingleHeader</code> field, the <code>HEADER</code> field in the logs will
|
|
3450
|
+
* be <code>xxx</code>. </p>
|
|
3384
3451
|
* <note>
|
|
3385
|
-
*
|
|
3452
|
+
* <p>You can specify only the following fields for redaction: <code>UriPath</code>,
|
|
3453
|
+
* <code>QueryString</code>, <code>SingleHeader</code>, <code>Method</code>, and
|
|
3454
|
+
* <code>JsonBody</code>.</p>
|
|
3386
3455
|
* </note>
|
|
3387
3456
|
*/
|
|
3388
3457
|
RedactedFields?: FieldToMatch[];
|
|
@@ -3580,7 +3649,8 @@ export interface GetMobileSdkReleaseRequest {
|
|
|
3580
3649
|
*/
|
|
3581
3650
|
Platform: Platform | string | undefined;
|
|
3582
3651
|
/**
|
|
3583
|
-
* <p>The release version. For the latest available version, specify
|
|
3652
|
+
* <p>The release version. For the latest available version, specify
|
|
3653
|
+
* <code>LATEST</code>.</p>
|
|
3584
3654
|
*/
|
|
3585
3655
|
ReleaseVersion: string | undefined;
|
|
3586
3656
|
}
|
|
@@ -3679,12 +3749,14 @@ export interface GetRateBasedStatementManagedKeysRequest {
|
|
|
3679
3749
|
*/
|
|
3680
3750
|
WebACLId: string | undefined;
|
|
3681
3751
|
/**
|
|
3682
|
-
* <p>The name of the rule group reference statement in your web ACL. This is required only
|
|
3683
|
-
* inside a rule group. </p>
|
|
3752
|
+
* <p>The name of the rule group reference statement in your web ACL. This is required only
|
|
3753
|
+
* when you have the rate-based rule nested inside a rule group. </p>
|
|
3684
3754
|
*/
|
|
3685
3755
|
RuleGroupRuleName?: string;
|
|
3686
3756
|
/**
|
|
3687
|
-
* <p>The name of the rate-based rule to get the keys for. If you have the rule defined inside
|
|
3757
|
+
* <p>The name of the rate-based rule to get the keys for. If you have the rule defined inside
|
|
3758
|
+
* a rule group that you're using in your web ACL, also provide the name of the rule group
|
|
3759
|
+
* reference statement in the request parameter <code>RuleGroupRuleName</code>.</p>
|
|
3688
3760
|
*/
|
|
3689
3761
|
RuleName: string | undefined;
|
|
3690
3762
|
}
|
|
@@ -3932,11 +4004,14 @@ export declare enum FailureReason {
|
|
|
3932
4004
|
TOKEN_MISSING = "TOKEN_MISSING"
|
|
3933
4005
|
}
|
|
3934
4006
|
/**
|
|
3935
|
-
* <p>The result from the inspection of the web request for a valid <code>CAPTCHA</code>
|
|
4007
|
+
* <p>The result from the inspection of the web request for a valid <code>CAPTCHA</code>
|
|
4008
|
+
* token. </p>
|
|
3936
4009
|
*/
|
|
3937
4010
|
export interface CaptchaResponse {
|
|
3938
4011
|
/**
|
|
3939
|
-
* <p>The HTTP response code indicating the status of the <code>CAPTCHA</code> token in the
|
|
4012
|
+
* <p>The HTTP response code indicating the status of the <code>CAPTCHA</code> token in the
|
|
4013
|
+
* web request. If the token is missing, invalid, or expired, this code is <code>405 Method
|
|
4014
|
+
* Not Allowed</code>.</p>
|
|
3940
4015
|
*/
|
|
3941
4016
|
ResponseCode?: number;
|
|
3942
4017
|
/**
|
|
@@ -4212,7 +4287,8 @@ export interface ManagedRuleGroupSummary {
|
|
|
4212
4287
|
*/
|
|
4213
4288
|
Name?: string;
|
|
4214
4289
|
/**
|
|
4215
|
-
* <p>Indicates whether the managed rule group is versioned. If it is, you can retrieve the
|
|
4290
|
+
* <p>Indicates whether the managed rule group is versioned. If it is, you can retrieve the
|
|
4291
|
+
* versions list by calling <a>ListAvailableManagedRuleGroupVersions</a>. </p>
|
|
4216
4292
|
*/
|
|
4217
4293
|
VersioningSupported?: boolean;
|
|
4218
4294
|
/**
|
|
@@ -4878,9 +4954,9 @@ export declare namespace PutLoggingConfigurationResponse {
|
|
|
4878
4954
|
const filterSensitiveLog: (obj: PutLoggingConfigurationResponse) => any;
|
|
4879
4955
|
}
|
|
4880
4956
|
/**
|
|
4881
|
-
* <p>The operation failed because you don't have the permissions that your logging
|
|
4882
|
-
*
|
|
4883
|
-
*
|
|
4957
|
+
* <p>The operation failed because you don't have the permissions that your logging
|
|
4958
|
+
* configuration requires. For information, see <a href="https://docs.aws.amazon.com/waf/latest/developerguide/logging.html">Logging web ACL traffic information</a>
|
|
4959
|
+
* in the <i>WAF Developer Guide</i>.</p>
|
|
4884
4960
|
*/
|
|
4885
4961
|
export declare class WAFLogDestinationPermissionIssueException extends __BaseException {
|
|
4886
4962
|
readonly name: "WAFLogDestinationPermissionIssueException";
|
|
@@ -5355,28 +5431,26 @@ export declare namespace UpdateWebACLResponse {
|
|
|
5355
5431
|
const filterSensitiveLog: (obj: UpdateWebACLResponse) => any;
|
|
5356
5432
|
}
|
|
5357
5433
|
/**
|
|
5358
|
-
* <p>The processing guidance for a <a>Rule</a>, used by WAF to determine whether
|
|
5434
|
+
* <p>The processing guidance for a <a>Rule</a>, used by WAF to determine whether
|
|
5435
|
+
* a web request matches the rule. </p>
|
|
5359
5436
|
*/
|
|
5360
5437
|
export interface Statement {
|
|
5361
5438
|
/**
|
|
5362
|
-
* <p>A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is
|
|
5439
|
+
* <p>A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is called a string match statement.</p>
|
|
5363
5440
|
*/
|
|
5364
5441
|
ByteMatchStatement?: ByteMatchStatement;
|
|
5365
5442
|
/**
|
|
5366
|
-
* <p>
|
|
5443
|
+
* <p>A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it. </p>
|
|
5367
5444
|
*/
|
|
5368
5445
|
SqliMatchStatement?: SqliMatchStatement;
|
|
5369
5446
|
/**
|
|
5370
|
-
* <p>A rule statement that
|
|
5371
|
-
*
|
|
5372
|
-
* client-site scripts into other legitimate web browsers.
|
|
5373
|
-
* The XSS match statement provides the location in requests that you want WAF to search and text transformations
|
|
5374
|
-
* to use on the search area before WAF searches for character sequences that are likely to be malicious strings. </p>
|
|
5447
|
+
* <p>A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker
|
|
5448
|
+
* uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers. </p>
|
|
5375
5449
|
*/
|
|
5376
5450
|
XssMatchStatement?: XssMatchStatement;
|
|
5377
5451
|
/**
|
|
5378
5452
|
* <p>A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. </p>
|
|
5379
|
-
* <p>If you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you
|
|
5453
|
+
* <p>If you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.</p>
|
|
5380
5454
|
* <p>If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI <code>/logo.jpg</code> is nine characters long.</p>
|
|
5381
5455
|
*/
|
|
5382
5456
|
SizeConstraintStatement?: SizeConstraintStatement;
|
|
@@ -5413,7 +5487,7 @@ export interface Statement {
|
|
|
5413
5487
|
* <p>A string match statement that searches in the User-Agent header for the string BadBot.</p>
|
|
5414
5488
|
* </li>
|
|
5415
5489
|
* </ul>
|
|
5416
|
-
* <p>In this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet both of the
|
|
5490
|
+
* <p>In this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.</p>
|
|
5417
5491
|
* <p>You cannot nest a <code>RateBasedStatement</code> inside another statement, for example inside a <code>NotStatement</code> or <code>OrStatement</code>. You can define a <code>RateBasedStatement</code> inside a web ACL and inside a rule group. </p>
|
|
5418
5492
|
*/
|
|
5419
5493
|
RateBasedStatement?: RateBasedStatement;
|
|
@@ -5465,15 +5539,16 @@ export interface ManagedRuleGroupStatement {
|
|
|
5465
5539
|
Name: string | undefined;
|
|
5466
5540
|
/**
|
|
5467
5541
|
* <p>The version of the managed rule group to use. If you specify this, the version setting
|
|
5468
|
-
*
|
|
5469
|
-
*
|
|
5470
|
-
*
|
|
5542
|
+
* is fixed until you change it. If you don't specify this, WAF uses the vendor's
|
|
5543
|
+
* default version, and then keeps the version at the vendor's default when the vendor updates
|
|
5544
|
+
* the managed rule group settings. </p>
|
|
5471
5545
|
*/
|
|
5472
5546
|
Version?: string;
|
|
5473
5547
|
/**
|
|
5474
|
-
* <p>The rules in the referenced rule group whose actions are set to <code>Count</code>.
|
|
5475
|
-
*
|
|
5476
|
-
*
|
|
5548
|
+
* <p>The rules in the referenced rule group whose actions are set to <code>Count</code>. When
|
|
5549
|
+
* you exclude a rule, WAF evaluates it exactly as it would if the rule action setting were
|
|
5550
|
+
* <code>Count</code>. This is a useful option for testing the rules in a rule group
|
|
5551
|
+
* without modifying how they handle your web traffic.</p>
|
|
5477
5552
|
*/
|
|
5478
5553
|
ExcludedRules?: ExcludedRule[];
|
|
5479
5554
|
/**
|
|
@@ -5526,7 +5601,7 @@ export declare namespace NotStatement {
|
|
|
5526
5601
|
* <p>A string match statement that searches in the User-Agent header for the string BadBot.</p>
|
|
5527
5602
|
* </li>
|
|
5528
5603
|
* </ul>
|
|
5529
|
-
* <p>In this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet both of the
|
|
5604
|
+
* <p>In this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.</p>
|
|
5530
5605
|
* <p>You cannot nest a <code>RateBasedStatement</code> inside another statement, for example inside a <code>NotStatement</code> or <code>OrStatement</code>. You can define a <code>RateBasedStatement</code> inside a web ACL and inside a rule group. </p>
|
|
5531
5606
|
*/
|
|
5532
5607
|
export interface RateBasedStatement {
|