Smartdocs is adding additional header Referer to the request
When a delete transaction is sent out from Developer portal smart docs, we are getting an issue.
If we send the request from the postman, we don’t have any issue.
When a request is sent from developer portal, Referer header contains %7Breferenc%7D.
As per some of our policies to avoid SQL injection and other security issues, % is not allowed as part of the header.
Is there a way to remove the % from the URL path or from the body which is sent to the Edge APi.
Is there a way to disable the referer header from the request?
One option to have policy which will remove the "referer" header before the "Regular Expression Protection", but all the requests will have to execute this policy.
As the request is generated from Smartdocs, I am looking for a way.
Can you share the Open API (Swagger) spec that was imported to the dev portal ? I would like to take a look at it and see if I can reproduce
Answer by Anil Sagar @ Google
·
Aug 20, 2016 at 02:40 PM
Thank you for highlighting this issue. Did some research & i can able to reproduce same, It's due to the badly formed smartdocs developer portal URL that has been taken as the Referer value while making the smartdocs API call.
For Example, Take a look at this smartdocs URL, http://dev-4mv4d.devportal.apigee.com/petstore/apis/delete/user/%7Busername%7D
It's due to the smartdocs content type URL pattern setting, %7B & %7D refers to { & } html encoded characters. By this time you might have guessed the root cause.
Default pattern for smartdocs URL is ,
[node:field-smart-method-model:name]/apis/[node:field-smart-method-verb:name]/[node:field-smart-method-resource-path]
that means if resource path is dynamic parameter like /v2/user/{username} then url will contain encoded characters like above. to fix above issue, you can update the url pattern to something like below in "admin/config/search/path/patterns" page as Developer Portal administrator,
[node:field-smart-method-model:name]/apis/[node:title]
Once you save the settings, Either re-render the smartdocs / generate the url by editing the the smartdocs node using the "URL path settings" at the bottom.
Hope it helps. Keep us posted if any.
