feat(api-security): add effective method and route normalization gates#1322
Closed
RanuK12 wants to merge 1 commit into
Closed
feat(api-security): add effective method and route normalization gates#1322RanuK12 wants to merge 1 commit into
RanuK12 wants to merge 1 commit into
Conversation
Author
|
/claim #1283 |
Adds Step 1A to the API security review workflow covering: - Method override discovery (X-HTTP-Method-Override, _method, framework filters) - Gateway/CDN route rewrite authorization consistency - Route normalization (encoded slashes, duplicate slashes, case, semicolons) - OpenAPI-vs-code method drift detection - Authorization placement verification (pre- vs post-rewrite) Also adds: - Item 8 to Step 1 inventory for documenting effective method/route handling - Vulnerable and benign examples for reviewer calibration - Detection grep patterns for method override and normalization code - Framework-specific guidance table (Spring, Express, Django, ASP.NET, Go, nginx) - Severity criteria mapping to API1/API5/API8/API9 - Normalization verification checklist (7 items) - Common Pitfalls #7: pre-rewrite authorization bypass - Updated API5 reference table entry - OWASP API5 and RFC 9110 references Closes #1283
RanuK12
force-pushed
the
ranukita/improve-api-method-route-normalization
branch
from
b505c82 to
92202f5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #1283.
Summary
Adds Step 1A: Effective Method and Route Normalization to the API security review workflow, covering the full scope of issue #1283:
What this PR adds
Item 8 to Step 1 — Capture effective method and route handling during API inventory (reverse proxy rewrites, method override headers, encoded slashes, gateway-to-application route differences).
Step 1A: Effective Method and Route Normalization — A dedicated gate between inventory and findings, with:
Updated API5 reference table entry — Now mentions "rewritten routes and method overrides."
Common Pitfalls intel: appsec community updates 2026-03-29 #7 — Pre-rewrite vs. effective request authorization bypass.
New references — OWASP API5:2023 and RFC 9110 HTTP Semantics.
Coverage vs. issue requirements
Validation
Why this is better than a minimal fix
This PR provides a complete methodology (not just a checklist) that a reviewer can follow step-by-step. The framework table, grep patterns, and verification checklist make it actionable for real codebases. The benign example explicitly helps reviewers avoid false positives on well-configured gateway setups.