Create whitelists for URL calls

You can control outgoing HTTP requests when calling external URLs using URL whitelists. Use whitelists to prevent attackers from abusing HTTP requests to collect sensitive data, such as server configuration details in cloud scenarios, or to redirect users to phishing sites.

You can define URL whitelists that contain individual URLs that a user can use to access external sources. MashZone NextGen distinguishes between server-side and client-side requests based on URLs. On server-side are several data source operators that allow the data request from external URLs, for example, CSV, Excel, JSON, XML, PPM, and ARIS table. On the client-side, for example, it is the Image widget and the actions you can specify for multiple widgets.

Server- and client whitelists are stored in the MashZone NextGen database repository. The size of each whitelist is limited to 4000 characters. The whitelist is a JSON array of regular expressions, see the example below. URLs that match at least one regular expression have passed the check.

Example

The following JSON array represents a URL whitelist.

[

"https://www.softwareag.com.*",

"https://github.com/w3c/csvw.*",

"hhttps://www.w3schools.com/xml.*"

]

To create a URL whitelist, you can use an appropriate text editor. With the padmin command line tool, you can provide the created whitelist to MashZone NextGen. The padmin tool is located in the following directory:

<MashZone NextGen installation>/prestocli/bin/padmin.bat

Use the following commands to import your URL whitelist into MashZone NextGen:

You can also export your URL whitelist using the following commands. The server returns a JSON array of regular expressions, as shown in the above example, written to the specified file in the file system.