search

Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/#kong-community
Apache License 2.0
38.85k stars 4.77k forks source link

When the API name contains "/", the API is broken #489

Closed subnetmarco closed 8 years ago

subnetmarco commented 9 years ago

e.g., 'my/api/name', though requesting it as 'my%2Fapi%2Fname'

thibaultcha commented 9 years ago

API names probably shouldn't be allowed to contain URI characters

Tieske commented 9 years ago

So these are the ones to exclude;

      reserved    = gen-delims / sub-delims

      gen-delims  = ":" / "/" / "?" / "#" / "[" / "]" / "@"

      sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="

(from https://tools.ietf.org/html/rfc3986#section-2.2)

right?

subnetmarco commented 9 years ago

@Tieske Yes - and I would also include "

thibaultcha commented 9 years ago

It might be worth reusing this code (a whitelist of allowed characters for API path): https://github.com/Mashape/kong/blob/master/kong/dao/schemas/apis.lua#L61

thibaultcha commented 8 years ago

I wanted to implement a URL decode middleware in the Admin API, but so far it seems like Lapis cannot differentiate path parameters than POST or GET parameters. For now I restricted the name property to only contain unreserved characters (that is, only . - _ ~, not that spaces are not supported)

If I find a way to percent-decode path parameters only we could support names with reserved characters and spaces.