URL manipulation in case of path parameters

Hi people,

I have created an API using Django rest framework. The url paths look like

Now, if I try to hit the url:


Then, in this case, I receive data about address_2 in my response. The “…/” let the user to actually call the address endpoint. Is this any known issue? And is there any way to avoid such manipulation in urls?
I believe this can pose many security risks with APIs using path parameters.

I am using Django 2.0.5. Please do let me know if this has already been addressed in any newer versions.


I suspect you have your urls configured incorrectly. If you post your routing code, we may be able to help identify the problem.

While I agree that there may be some issues with your url configuration, this still shouldn’t be a “problem”.
Generally speaking, security is applied at the view, not at the url. The urls map to views, yes - but it doesn’t matter how you get to the view. Whether you get to “view_x” via /api/view/x, or /api/view/../view/../view/x/../x/ shouldn’t matter. The view “view_x” is supposed to verify that that user can access that view.