Software Development Kit (SDK) and API Discussions

Powershell, Set-NcFPolicyScope does not allow more than 255 characters in a file-extensions

ChannelTapeFibre
6,025 Views

Furthering on my exploration into the PowerShell module, I'm attempting to create an Fpolicy policy.

It's going fairly well, but I've hit what either is a bug or more likely my incorrect interpretation of the limits.

 

Referencing the man page for the native CLI command Fpolicy I find the following:

 

fpolicy ext[ension] { exc[lude] | inc[lude] } { reset|show } <PolicyName>
fpolicy ext[ension] { exc[lude] | inc[lude] } { add|remove|set } <PolicyName> <ext>[,<ext>]*

<ext>[,<ext>]* is a comma separated list of extensions. The maximum length allowed for a single extension is 260 characters. Upto 255 extensions can be specified in a list.The include list determines if a given file should be screened. The exclude list determines if a given file should not be screened. If an extension is listed on both the exclude and the include list, files with that extension are not screened. If an extension is not listed on either the include list or the exclude list, files with that extension are not screened. The character ? is a wild card. When it is not the last character, it matches any single character. When it is the last character, or part of a trailing sequence of ? , it matches any number of characters (0, 1 or more).

 

This would suggest the theoretical maximum length of the combined list string of a number of file extensions is 66300 characters (255x260).

 

However, I have found that using 

Set-NcFpolicyScope -PolicyName $fpolicy.PolicyName -VolumesToInclude $dataVolsCIFS -FileExtensionsToInclude $badExtensionList

 Errors out then $badExtensionList is over 255 characters. I have confirmed $badExtensionList is about 1800 characters long, with less than 255 individual elements. By going with man page description, this should be valid, but it does not work. Seems the cmdlet has a check for the total length of the string at 255 characters.

 

The reason behind me having such a long string is that I'm attempting to defend in depth against ransomware, which has a wide variety of known "bad" extensions.

1 ACCEPTED SOLUTION

asulliva
5,978 Views

I did some testing (using ONTAP 9)...here's what I found:

 

# This works:

# 59 elements in the array $extensions = @("bat","exe","cmd","sh","php","pl","cgi", "386","dll","com","torrent","js","app", "jar","pif","vb","vbscript","wsf","asp", "cer","csr","jsp","drv","sys","ade","adp", "bas","chm","cpl","crt","csh","fxp","hlp", "hta","inf","ins","isp","jse","htaccess", "htpasswd","ksh","lnk","mdb","mde","mdt", "mdw","msc","msi","msp","mst","ops","pcd", "prg","reg","scr","sct","shb","shs","url", "vbe","vbs","wsc","wsh") Set-NcFpolicyScope -PolicyName $policy -FileExtensionsToInclude $extensions -VserverContext $svm

If I convert the array into a string, if that string is > 255 characters, it fails:

 

# this fails:

# expected string length is 266 Write-Host "String length: $(($extensions -join ",").length)" Set-NcFpolicyScope -PolicyName $policy -FileExtensionsToInclude ($extensions -join ",") -VserverContext $svm

Shortening the string (by removing some of the extensions) causes it to succeed, which you've said above.

 

I'm not sure if this is a "feature" of PowerShell, or a bug in the PSTK...but try using the array format I used above to define the extensions and see if it works for you.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

View solution in original post

6 REPLIES 6

ChannelTapeFibre
6,012 Views

Replying to myself, but in the native CLI it works without error, and I can also use Get-NcFpolicyScope.FileExtensionsToInclude to query the full list.

asulliva
5,998 Views

Hello @ChannelTapeFibre,

 

The parameter accepts a string array, which PowerShell will automatically convert a comma separated list of values into an array...I'm wondering if PoSh has a length limit for string parameters.  Have you tried passing an array of values instead of a comma separated list?

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

ChannelTapeFibre
5,996 Views

It returns the same error

Set-NcFpolicyScope : Invalid value specified for "file-extensions-to-include" element within "fpolicy-policy-scope-modify": "".
At line:1 char:1
+ Set-NcFpolicyScope -PolicyName $fpolicy.PolicyName -VolumesToInclude  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (cluster2:NcController) [Set-NcFpolicyScope], EINVALIDINPUTERROR
    + FullyQualifiedErrorId : ApiException,DataONTAP.C.PowerShell.SDK.Cmdlets.Fpolicy.SetNcFpolicyScope
 

I should probably clarify that a simple truncation of the troublesome too long string works.

 

$niceShortString = $farTooLongStringThatGivesAnError.substring(0,255) works, but $niceShortString = $farTooLongStringThatGivesAnError.substring(0,256) does not.

 

This would indicate the problem lies with the string being too long, > 256 character. The format and if I pass it as an array or string doesn't really seem to do any difference.

asulliva
5,979 Views

I did some testing (using ONTAP 9)...here's what I found:

 

# This works:

# 59 elements in the array $extensions = @("bat","exe","cmd","sh","php","pl","cgi", "386","dll","com","torrent","js","app", "jar","pif","vb","vbscript","wsf","asp", "cer","csr","jsp","drv","sys","ade","adp", "bas","chm","cpl","crt","csh","fxp","hlp", "hta","inf","ins","isp","jse","htaccess", "htpasswd","ksh","lnk","mdb","mde","mdt", "mdw","msc","msi","msp","mst","ops","pcd", "prg","reg","scr","sct","shb","shs","url", "vbe","vbs","wsc","wsh") Set-NcFpolicyScope -PolicyName $policy -FileExtensionsToInclude $extensions -VserverContext $svm

If I convert the array into a string, if that string is > 255 characters, it fails:

 

# this fails:

# expected string length is 266 Write-Host "String length: $(($extensions -join ",").length)" Set-NcFpolicyScope -PolicyName $policy -FileExtensionsToInclude ($extensions -join ",") -VserverContext $svm

Shortening the string (by removing some of the extensions) causes it to succeed, which you've said above.

 

I'm not sure if this is a "feature" of PowerShell, or a bug in the PSTK...but try using the array format I used above to define the extensions and see if it works for you.

 

Andrew

If this post resolved your issue, please help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

ChannelTapeFibre
5,937 Views

Thanks for your patience with me 🙂

As it turns out, I had a $null entry in the array, and this was what was preventing me from passing the array as input. Once I filtered out the $null element, I could pass the entire array.

 

However, there is a still a limitation of passing a string > 256 characters, but I'm not sure where this bug would lie. There is not such limitation in .NET as a whole or plain PowerShell, but that's more of an academic question at this point.

 

This also mean I can omit the step of joining the array to a string, as an added bonus.

Thanks for your help, I'm sure I will continue to post more problems as I stumble along.

FelipeMafra
5,905 Views

Hi,

 

I have a theory for this case, so I'll explain it.

 

Inside PoSh cmdlet this filed is a string[] so this limit does not apply.

 

I checked  if it had anything about DTD (XML - The Document Type Definition) and there isn't any limit there too. Actually it is a #PCDATA filed with has 65535 chars limit.

 

So I was wondering what could cause this?

 

Maybe filer is interpreting this $badExtensionList as a single extension with 1800 chars!

 

To check this out can you send the output of cmdlet below?

 

$badExtensionList.GetType()

 

If this is a string it might be the problem.

 

Just to clarify take a loke in the snippet below.

 

 

$a = "q" * 300
$b = "a,b,c,d,e,f"
[string[]]$c = $a, $b

$a.GetType()
$a.Length
""
$b.GetType()
$b.Length

$c.GetType()
$c.Length
$c[0].Length
$c[1].Length

IsPublic IsSerial Name                                     BaseType                                                                                                         
-------- -------- ----                                     --------                                                                                                         
True     True     String                                   System.Object                                                                                                    
300

True     True     String                                   System.Object                                                                                                    
11
True     True     String[]                                 System.Array                                                                                                     
2
300
11

 

$a is a string so is $b but $c is an array of strings with 2 elements. One with 300 chars and the other one with 11 chars.

 

Pay attention that $b is not an array of strings (string[]). It is simply an string with commas.

 

I think you would ask me why 255 instead of 260 as manual says it? Probably this value includes non printable chars as \r or \n.

 

If this makes sense to you please give me a kudo.

 

 

Public