Beginner: Isn't the default Route Path Matching Behavior a Security Exposure?

Beginner: Isn’t the default Route Path Matching Behavior a Security Exposure?

  • My expectation is that the security and integrity of configured services is paramount. That exposing additional upstream endpoints should require an overt configured element.
  • What I’m finding is that the default Prefix-Path matching behavior appends everything after the matched path to the upstream URI.
  • And so if I don’t want this behavior – deeming it a security risk to allow any trailing URI to be sent to the upstream service – then I must configure every single route with a Regex end-of-string anchor in order to force strict path matching.

This seems to me a security issue. But it has likely always been this way and I don’t see it addressed anywhere … so then I feel like I’m missing something obvious. I’m anxious to understand what I might be missing.

Understanding this has already been implemented, I would still expect to be able to control this behavior through a Configuration setting. I guess once we get CI/CD in place, then I can enforce that “rule” that all routes must included end-of-string anchor. But I still think the default should be to not expose extra unless commanded through something overt.

Thoughts?


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ