Hi people,
I have created an API using Django rest framework. The url paths look like
/api/<user_id>/documents/<document_id>/
/api/<user_id>/addresses/<address_id>/
Now, if I try to hit the url:
/api/user_id_1/documents/document_id_1/…/…/…/…/api/user_id_2/addresses/address_id_2/
Then, in this case, I receive data about address_2 in my response. The “…/” let the user to actually call the address endpoint. Is this any known issue? And is there any way to avoid such manipulation in urls?
I believe this can pose many security risks with APIs using path parameters.
I am using Django 2.0.5. Please do let me know if this has already been addressed in any newer versions.
Thanks!