Hi people,

I have created an API using Django rest framework. The url paths look like
/api/<user_id>/documents/<document_id>/
/api/<user_id>/addresses/<address_id>/

Now, if I try to hit the url:

/api/user_id_1/documents/document_id_1/…/…/…/…/api/user_id_2/addresses/address_id_2/

Then, in this case, I receive data about address_2 in my response. The “…/” let the user to actually call the address endpoint. Is this any known issue? And is there any way to avoid such manipulation in urls?
I believe this can pose many security risks with APIs using path parameters.

I am using Django 2.0.5. Please do let me know if this has already been addressed in any newer versions.

Thanks!

I suspect you have your urls configured incorrectly. If you post your routing code, we may be able to help identify the problem.

While I agree that there may be some issues with your url configuration, this still shouldn’t be a “problem”.
Generally speaking, security is applied at the view, not at the url. The urls map to views, yes - but it doesn’t matter how you get to the view. Whether you get to “view_x” via /api/view/x, or /api/view/../view/../view/x/../x/ shouldn’t matter. The view “view_x” is supposed to verify that that user can access that view.