IBM Support

Handling URLs containing DotDot (..) on DataPower as part of API Connect

Troubleshooting


Problem

Customer requests may contain DotDot (..) in the URL. For example as part of query parameter. By default this is not allowed by DataPower

Symptom

In the DataPower logs for the service webapi you may see messages like:
 
"Request requires DotDot in allowed-features list, which is not currently configured." (Event code 0x80e00138)

Cause

 The URL with .. setting is disabled by default for security reasons. (.. is commonly used to break out of directories / exploit web servers)

Resolving The Problem

To workaround you can enable the URL with .. under the Allowed Methods and Versions section for the Front side handler webapi-https

To do this from the UI:
Login to DataPower and navigate to the domain generated by API Connect (APIMgmt_XXXXXXXXX)
Open the Multiprotocol Gateway webapi
Edit the Front side Handler webapi-https
Click the checkbox next to the Option URL with .. under the Allowed Methods and Versions Section


 

Unfortunately, there is not a presently a feature to persist modifications to the API Connect domain after you remove it and readd it to the Gateway service.

You may also consider using a SOMA request to make this modification.

The attached sample request can be sent to the XML Management interface to change the setting without having to manually edit on the DataPower UI.

The file named request.xml will add the dot dot method on to the FSH webapi-https. You will need to modify the file to add your domain name in line 5 and run the command:

 

curl --data-binary @request.xml https://<hostname>:5550/service/mgmt/2004 -u <username>:<password> -k

request.xml

Document Location

Worldwide

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"Component":"Gateway","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.0.8","Edition":""}]

Document Information

Modified date:
11 April 2019

UID

ibm10872578