8 tests demonstrate how Signando REST validates URL paths against the OpenAPI specification and blocks path traversal attacks.
Paths are defined in your OpenAPI specification. Only these paths are allowed:
# openapi.yaml
openapi: "3.0.3"
paths:
/users:
get:
summary: "List all users"
responses:
"200":
description: "User list"
post:
summary: "Create a user"
/users/{id}:
get:
summary: "Get user by ID"
parameters:
- name: id
in: path
required: true
schema:
type: string
format: uuidcurl -X GET -H "X-API-Key: valid-key-123" http://localhost:8080/usersHTTP/1.1 200 OK
Content-Type: application/json
[{"id": "550e8400-e29b-41d4-a716-446655440000", "name": "John"}]The path /users is defined in the OpenAPI specification. Signando REST validates that the path matches a defined endpoint.
curl -X GET -H "X-API-Key: valid-key-123" http://localhost:8080/users/550e8400-e29b-41d4-a716-446655440000Path parameters are extracted and validated against the schema (UUID format in this case).
curl -X GET -H "X-API-Key: valid-key-123" http://localhost:8080/adminHTTP/1.1 404 Not Found
Content-Type: application/json
{"error": "Path not found in API specification", "code": "PATH_NOT_ALLOWED"}Signando REST works on the allowlist principle: Only paths explicitly defined in the OpenAPI specification are allowed.
curl -X GET -H "X-API-Key: valid-key-123" http://localhost:8080/../etc/passwd HTTP/1.1 400 Bad Request
Content-Type: application/json
{"error": "Path traversal detected", "code": "PATH_TRAVERSAL_BLOCKED"}Path traversal attempts using ../ sequences are detected and blocked before reaching the backend.
curl -X GET http://localhost:8080/users/../../etc/passwd Even path traversal attempts hidden within valid path prefixes are detected and blocked.
curl -X GET -H "X-API-Key: valid-key-123" http://localhost:8080/users/not-a-uuidHTTP/1.1 400 Bad Request
Content-Type: application/json
{"error": "Invalid path parameter", "parameter": "id", "expected": "uuid"}Path parameters are validated against their schema. Invalid formats are rejected.