When using any API, for example, /test/qrcode/*, the gateway allows and sends dot-dot-slash paths to the location of API, allowing access to all the server resources, if the server accepts.
Release : 10.0
Component : API GATEWAY
The use case involve a wildcard service.
So if you publish an api with URI: /dotdotslash*, then you can send requests to:
/dotdotslash/foo/bar/../foo/bar
/dotdotslash/bar
etc.
doing quick test. Yes it's possible to send requests to URIs with ../ to a wildcard service.
but it's also possible to prevent that via policy by using a regex that checks request.url for sequence ../
see example policy attached : dotdotslash-policy.xml
to use wildcard is fine if you have a common business logic that you need to do regardless of whether they go /b or /c. But you have some options to make it more secure :
- you can add checks that make sure you're only routing to specific URLs
- you can add checks that blacklists certain URL patterns