When using any API, for example, /test/qrcode/*, the gateway allows and sends dot-dot-slash paths to the location of API, allowing access to all the server resources, if the server accepts.

Release : 10.0

Component : API GATEWAY

The use case involve a wildcard service.

So if you publish an api with URI: /dotdotslash*, then you can send requests to:

/dotdotslash/foo/bar/../foo/bar
/dotdotslash/bar
etc.

doing quick test. Yes it's possible to send requests to URIs with ../ to a wildcard service.
but it's also possible to prevent that via policy by using a regex that checks request.url for sequence ../

see example policy attached : dotdotslash-policy.xml

to use wildcard is fine if you have a common business logic that you need to do regardless of whether they go /b or /c. But you have some options to make it more secure :
- you can add checks that make sure you're only routing to specific URLs
- you can add checks that blacklists certain URL patterns