I need to implement a public REST API that manipulates usernames.
So I have an endpoint that looks like GET http://.../api/users/<username>
where username
can contain special characters (slashes, percents...) that are URL encoded (e.g. if my username is en/johndoe
, my URL becomes http://.../api/users/en%2Fjohndoe
).
By consistency with other endpoints in my API, I don't want to use a query param to pass the username.
When a username contains a slash (%2F), my GET request is rejected by Tomcat because of the default value (reject
) of parameter encodedSolidusHandling
(see https://tomcat.apache.org/tomcat-9.0-doc/config/http.html).
So I thought of double encoding the username (which would result in en%252Fjohndoe
).
But in this case, my request is rejected by Spring Security because StrictHttpFirewall
is configured this way by default (allowUrlEncodedPercent
is false
by default).
My understanding is that this is to avoid double URL encoding attacks.
But is double encoding a real threat? If it were, Tomcat would probably reject such requests as well, wouldn't it?
Is there any other risk in allowing URL encoding of percents?
Is there another solution (if possible not relying on a custom encoding) to deal with these special characters in paths?
Any feedback would be greatly appreciated.