Release : 10.0
Component : API GATEWAY
The use case involve a wildcard service.
So if you publish an api with URI: /dotdotslash*, then you can send requests to:
doing quick test. Yes it's possible to send requests to URIs with ../ to a wildcard service.
but it's also possible to prevent that via policy by using a regex that checks request.url for sequence ../
see example policy attached : dotdotslash-policy.xml
to use wildcard is fine if you have a common business logic that you need to do regardless of whether they go /b or /c. But you have some options to make it more secure :
- you can add checks that make sure you're only routing to specific URLs
- you can add checks that blacklists certain URL patterns