C
C#•2d ago
TheCyberSniper

Trouble understanding how web.config's location path value works

Hello! I am having some trouble understanding or finding documentation on how the location path value works in web.config. My goal: to lock down a single API endpoint/URL or the respective controller's function to a location path. The API call itself looks like this: mywebsite.com/rpc/associated-members/add-member-to-account/1000011000/[email protected] The issue, is that if an email contains + syntax, then this endpoint 404's (doesn't hit my .net controller router). The fix seems to be to turn on a web.config value called <requestFiltering allowDoubleEscaping="true" />. However, since I am unsure on the risks associated with this, I want to lock down this rule which I think can be done by putting this within a <location path=""> rule. The .net side of this API call looks like this 
c#
namespace WebsiteBase.Mvc.Controllers.RPC
{
    [RoutePrefix("rpc/associated-members")]
    public class AssociatedMembersController : BaseRpcController
    {
        [HttpGet]
        [Route("add-member/{cardnumber}/{email}")]
        [StandaloneResponseFilter]
        public JsonResult AddMemberToAccount(string cardnumber, string email)
        {
            //
        }
    }
}
c#
namespace WebsiteBase.Mvc.Controllers.RPC
{
    [RoutePrefix("rpc/associated-members")]
    public class AssociatedMembersController : BaseRpcController
    {
        [HttpGet]
        [Route("add-member/{cardnumber}/{email}")]
        [StandaloneResponseFilter]
        public JsonResult AddMemberToAccount(string cardnumber, string email)
        {
            //
        }
    }
}
Now, if I put the allowDoubleEscaping="true" in a non-location path rule the above works and emails with a + work, such as: mywebsite.com/rpc/associated-members/add-member-to-account/1000011000/[email protected] So, I have tried utilizing the location path="" option to lock it down but so far I am not having any luck... as in it 404s or it doesn't compile. The following throw a compile error off the bat - so I presume I cannot use a generic URL for this rule. 
c#
<location path="rpc/associated-members/add-member/">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
<location path="/rpc/associated-members/add-member/">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
c#
<location path="rpc/associated-members/add-member/">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
<location path="/rpc/associated-members/add-member/">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
I also had read you can specify by Controller, so I also tried these. The web application runs but the + email syntax will 404 when I try to hit the endpoint. 
c#
<location path="AssociatedMembersController">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
<location path="AssociatedMembersController/AddMemberToAccount">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
c#
<location path="AssociatedMembersController">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
<location path="AssociatedMembersController/AddMemberToAccount">
  <system.webServer>
    <security>
      <requestFiltering allowDoubleEscaping="true" />
    </security>
  </system.webServer>
</location>
I am just having trouble finding more documentation around the location path's allowed URL and if I can lock down the scope of this allowDoubleEscaping a bit to only the pertaining route/controller. If I cannot lock it down in this manner, that is okay, just let me know - thank you!
2 Replies
Angius
Angius•2d ago
AddMemberToAccount
Seems to me like this should be a POST endpoint, not a GET one
TheCyberSniper
TheCyberSniperOP•2d ago
I have also raised that concern, that with the data being sent it might be better to change the request type itself. But for educational purposes, I am still curious on the above or if it is possible. 🙂

Did you find this page helpful?