REST Advanced Paths: Allow sub-directories in entity REST paths (#2999)

Copilot · JerryNixon · RubenCerna2079 · web-flow · commit 54697845a305 · 2026-02-12T01:39:39.000Z
- [x] Explore and understand the codebase - [x] Understand how REST paths are validated and used - [x] Modify validation to allow forward slashes (/) in entity REST paths for sub-directories - [x] Update `GetEntityNameAndPrimaryKeyRouteFromRoute` to handle paths with sub-directories - [x] Provide clear error messages for invalid paths (backslash, invalid chars, etc.) - [x] Add unit tests for the new functionality - [x] Build and verify the changes - [x] Run dotnet format on modified files - [x] Run code review and address feedback - [x] Run CodeQL security check (no issues found) - [x] Address PR feedback: - Added null-safe fallback for error message in `ValidateRestPathSettingsForEntity` - Simplified generic error message to avoid overspecifying allowed characters - ~~Documented shortest-prefix matching~~ → **Fixed to use longest-prefix matching** - [x] **Fixed routing logic**: Changed from shortest-prefix to longest-prefix matching (most-specific match wins) - [x] **Added routing tests**: Tests for sub-directory paths, longest-prefix matching with overlapping paths - [x] **Updated XML documentation**: Clarified that entity paths may contain '/' and use longest-prefix matching - [x] **Fixed ':' error message**: Changed to neutral "reserved character" message - [x] **Refactored test helpers**: Removed duplicate code, all helpers now delegate to single core helper - [x] **Enhanced validation**: - Added 2048-character maximum path length limit - Added percent-encoding (%) validation - not allowed in config - Added path traversal pattern validation (`.` and `..` segments blocked) - Added tests for trailing slash, whitespace, percent-encoding, and path traversal patterns  <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>⭐ [Enhancement]: REST Advanced Paths</issue_title> > <issue_description>## What is it? > > * The ability to customize REST paths with sub-directories, such as `/api/sub-directory/books`. > > This improvement addresses potential conflicts that arise when multiple data sources contain entities with the same desired REST path. For example, you might have an `Item` entity under both an `Invoice` and a `ShoppingCart`. With the current setup, you might end up with paths like `/shopping-cart` and `/shopping-cart-item`, when the desired paths would be `/shopping-cart/item` and `/invoice/item`. This issue becomes more pronounced as we introduce tenant support across multiple databases. > > ## Questions > > 1. How many sub-folders, just one? Yes. Just one. > 2. Are paths unique across config files? Yes, required. > > ## Related issues to close > > * #1085 > * #1566</issue_description> > > <agent_instructions>Change as little as possible, introduce as little as possible to accomplish this. Terse code FTW.</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> - Fixes #2373  --- 💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more [Copilot coding agent tips](https://gh.io/copilot-coding-agent-tips) in the docs. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: JerryNixon <1749983+JerryNixon@users.noreply.github.com> Co-authored-by: RubenCerna2079 <32799214+RubenCerna2079@users.noreply.github.com> Co-authored-by: Aniruddh Munde <anmunde@microsoft.com> Co-authored-by: Aniruddh25 <3513779+Aniruddh25@users.noreply.github.com> Co-authored-by: anushakolan <45540936+anushakolan@users.noreply.github.com>
diff --git a/src/Core/Configurations/RuntimeConfigValidator.cs b/src/Core/Configurations/RuntimeConfigValidator.cs
@@ -656,6 +656,7 @@ private void ValidateRestMethods(Entity entity, string entityName)
     /// <summary>
     /// Helper method to validate that the rest path property for the entity is correctly configured.
     /// The rest path should not be null/empty and should not contain any reserved characters.
+    /// Allows sub-directories (forward slashes) in the path.
     /// </summary>
     /// <param name="entityName">Name of the entity.</param>
     /// <param name="pathForEntity">The rest path for the entity.</param>
@@ -672,10 +673,10 @@ private static void ValidateRestPathSettingsForEntity(string entityName, string
                 );
         }
 
-        if (RuntimeConfigValidatorUtil.DoesUriComponentContainReservedChars(pathForEntity))
+        if (!RuntimeConfigValidatorUtil.TryValidateEntityRestPath(pathForEntity, out string? errorMessage))
         {
             throw new DataApiBuilderException(
-                message: $"The rest path: {pathForEntity} for entity: {entityName} contains one or more reserved characters.",
+                message: $"The rest path: {pathForEntity} for entity: {entityName} {errorMessage ?? "contains invalid characters."}",
                 statusCode: HttpStatusCode.ServiceUnavailable,
                 subStatusCode: DataApiBuilderException.SubStatusCodes.ConfigValidationError
                 );
diff --git a/src/Core/Configurations/RuntimeConfigValidatorUtil.cs b/src/Core/Configurations/RuntimeConfigValidatorUtil.cs
@@ -66,6 +66,94 @@ public static bool DoesUriComponentContainReservedChars(string uriComponent)
         return _reservedUriCharsRgx.IsMatch(uriComponent);
     }
 
+    /// <summary>
+    /// Method to validate an entity REST path allowing sub-directories (forward slashes).
+    /// Each segment of the path is validated for reserved characters and path traversal patterns.
+    /// </summary>
+    /// <param name="entityRestPath">The entity REST path to validate.</param>
+    /// <param name="errorMessage">Output parameter containing a specific error message if validation fails.</param>
+    /// <returns>true if the path is valid, false otherwise.</returns>
+    public static bool TryValidateEntityRestPath(string entityRestPath, out string? errorMessage)
+    {
+        errorMessage = null;
+
+        // Check for maximum path length (reasonable limit for URL paths)
+        const int MAX_PATH_LENGTH = 2048;
+        if (entityRestPath.Length > MAX_PATH_LENGTH)
+        {
+            errorMessage = $"exceeds maximum allowed length of {MAX_PATH_LENGTH} characters.";
+            return false;
+        }
+
+        // Check for backslash usage - common mistake
+        if (entityRestPath.Contains('\\'))
+        {
+            errorMessage = "contains a backslash (\\). Use forward slash (/) for path separators.";
+            return false;
+        }
+
+        // Check for percent-encoded characters (URL encoding not allowed in config)
+        if (entityRestPath.Contains('%'))
+        {
+            errorMessage = "contains percent-encoding (%) which is not allowed. Use literal characters only.";
+            return false;
+        }
+
+        // Check for whitespace
+        if (entityRestPath.Any(char.IsWhiteSpace))
+        {
+            errorMessage = "contains whitespace which is not allowed in URL paths.";
+            return false;
+        }
+
+        // Split the path by '/' to validate each segment separately
+        string[] segments = entityRestPath.Split('/');
+
+        // Validate each segment doesn't contain reserved characters
+        foreach (string segment in segments)
+        {
+            if (string.IsNullOrEmpty(segment))
+            {
+                errorMessage = "contains empty path segments. Ensure there are no leading, consecutive, or trailing slashes.";
+                return false;
+            }
+
+            // Check for path traversal patterns
+            if (segment == "." || segment == "..")
+            {
+                errorMessage = "contains path traversal patterns ('.' or '..') which are not allowed.";
+                return false;
+            }
+
+            // Check for specific reserved characters and provide helpful messages
+            if (segment.Contains('?'))
+            {
+                errorMessage = "contains '?' which is reserved for query strings in URLs.";
+                return false;
+            }
+
+            if (segment.Contains('#'))
+            {
+                errorMessage = "contains '#' which is reserved for URL fragments.";
+                return false;
+            }
+
+            if (segment.Contains(':'))
+            {
+                errorMessage = "contains ':' which is a reserved character and not allowed in URL paths.";
+                return false;
+            }
+
+            if (_reservedUriCharsRgx.IsMatch(segment))
+            {
+                errorMessage = "contains reserved characters that are not allowed in URL paths.";
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     /// <summary>
     /// Method to validate if the TTL passed by the user is valid
     /// </summary>
diff --git a/src/Core/Services/RestService.cs b/src/Core/Services/RestService.cs
@@ -433,11 +433,17 @@ public bool TryGetRestRouteFromConfig([NotNullWhen(true)] out string? configured
 
         /// <summary>
         /// Tries to get the Entity name and primary key route from the provided string
-        /// returns the entity name via a lookup using the string which includes
-        /// characters up until the first '/', and then resolves the primary key
-        /// as the substring following the '/'.
+        /// by matching against configured entity paths (which may include '/' for sub-directories)
+        /// using longest-prefix matching, then treating the remaining suffix as the primary key route.
+        /// 
         /// For example, a request route should be of the form
         /// {EntityPath}/{PKColumn}/{PkValue}/{PKColumn}/{PKValue}...
+        /// where {EntityPath} may be a single segment like "books" or multi-segment like "shopping-cart/item".
+        /// 
+        /// Uses longest-prefix matching (most-specific match wins). When multiple
+        /// entity paths could match, the longest matching path takes precedence. For example,
+        /// if both "cart" and "cart/item" are valid entity paths, a request to
+        /// "cart/item/id/123" will match "cart/item" with primaryKeyRoute "id/123".
         /// </summary>
         /// <param name="routeAfterPathBase">The request route (no '/' prefix) containing the entity path
         /// (and optionally primary key).</param>
@@ -448,26 +454,27 @@ public bool TryGetRestRouteFromConfig([NotNullWhen(true)] out string? configured
 
             RuntimeConfig runtimeConfig = _runtimeConfigProvider.GetConfig();
 
-            // Split routeAfterPath on the first occurrence of '/', if we get back 2 elements
-            // this means we have a non-empty primary key route which we save. Otherwise, save
-            // primary key route as empty string. Entity Path will always be the element at index 0.
-            // ie: {EntityPath}/{PKColumn}/{PkValue}/{PKColumn}/{PKValue}...
-            // splits into [{EntityPath}] when there is an empty primary key route and into
-            // [{EntityPath}, {Primarykeyroute}] when there is a non-empty primary key route.
-            int maxNumberOfElementsFromSplit = 2;
-            string[] entityPathAndPKRoute = routeAfterPathBase.Split(new[] { '/' }, maxNumberOfElementsFromSplit);
-            string entityPath = entityPathAndPKRoute[0];
-            string primaryKeyRoute = entityPathAndPKRoute.Length == maxNumberOfElementsFromSplit ? entityPathAndPKRoute[1] : string.Empty;
-
-            if (!runtimeConfig.TryGetEntityNameFromPath(entityPath, out string? entityName))
+            // Split routeAfterPath to extract segments
+            string[] segments = routeAfterPathBase.Split('/');
+
+            // Try longest paths first (most-specific match wins)
+            // Start with all segments, then remove one at a time
+            for (int i = segments.Length; i >= 1; i--)
             {
-                throw new DataApiBuilderException(
-                    message: $"Invalid Entity path: {entityPath}.",
-                    statusCode: HttpStatusCode.NotFound,
-                    subStatusCode: DataApiBuilderException.SubStatusCodes.EntityNotFound);
+                string entityPath = string.Join("/", segments.Take(i));
+                if (runtimeConfig.TryGetEntityNameFromPath(entityPath, out string? entityName))
+                {
+                    // Found entity
+                    string primaryKeyRoute = i < segments.Length ? string.Join("/", segments.Skip(i)) : string.Empty;
+                    return (entityName!, primaryKeyRoute);
+                }
             }
 
-            return (entityName!, primaryKeyRoute);
+            // No entity found - show the full path for better debugging
+            throw new DataApiBuilderException(
+                message: $"Invalid Entity path: {routeAfterPathBase}.",
+                statusCode: HttpStatusCode.NotFound,
+                subStatusCode: DataApiBuilderException.SubStatusCodes.EntityNotFound);
         }
 
         /// <summary>
diff --git a/src/Service.Tests/UnitTests/ConfigValidationUnitTests.cs b/src/Service.Tests/UnitTests/ConfigValidationUnitTests.cs
@@ -2066,21 +2066,41 @@ public void ValidateRestMethodsForEntityInConfig(
         [DataTestMethod]
         [DataRow(true, "EntityA", "", true, "The rest path for entity: EntityA cannot be empty.",
             DisplayName = "Empty rest path configured for an entity fails config validation.")]
-        [DataRow(true, "EntityA", "entity?RestPath", true, "The rest path: entity?RestPath for entity: EntityA contains one or more reserved characters.",
+        [DataRow(true, "EntityA", "entity?RestPath", true, "The rest path: entity?RestPath for entity: EntityA contains '?' which is reserved for query strings in URLs.",
             DisplayName = "Rest path for an entity containing reserved character ? fails config validation.")]
-        [DataRow(true, "EntityA", "entity#RestPath", true, "The rest path: entity#RestPath for entity: EntityA contains one or more reserved characters.",
-            DisplayName = "Rest path for an entity containing reserved character ? fails config validation.")]
-        [DataRow(true, "EntityA", "entity[]RestPath", true, "The rest path: entity[]RestPath for entity: EntityA contains one or more reserved characters.",
-            DisplayName = "Rest path for an entity containing reserved character ? fails config validation.")]
-        [DataRow(true, "EntityA", "entity+Rest*Path", true, "The rest path: entity+Rest*Path for entity: EntityA contains one or more reserved characters.",
-            DisplayName = "Rest path for an entity containing reserved character ? fails config validation.")]
-        [DataRow(true, "Entity?A", null, true, "The rest path: Entity?A for entity: Entity?A contains one or more reserved characters.",
+        [DataRow(true, "EntityA", "entity#RestPath", true, "The rest path: entity#RestPath for entity: EntityA contains '#' which is reserved for URL fragments.",
+            DisplayName = "Rest path for an entity containing reserved character # fails config validation.")]
+        [DataRow(true, "EntityA", "entity[]RestPath", true, "The rest path: entity[]RestPath for entity: EntityA contains reserved characters that are not allowed in URL paths.",
+            DisplayName = "Rest path for an entity containing reserved character [] fails config validation.")]
+        [DataRow(true, "EntityA", "entity+Rest*Path", true, "The rest path: entity+Rest*Path for entity: EntityA contains reserved characters that are not allowed in URL paths.",
+            DisplayName = "Rest path for an entity containing reserved character +* fails config validation.")]
+        [DataRow(true, "Entity?A", null, true, "The rest path: Entity?A for entity: Entity?A contains '?' which is reserved for query strings in URLs.",
             DisplayName = "Entity name for an entity containing reserved character ? fails config validation.")]
-        [DataRow(true, "Entity&*[]A", null, true, "The rest path: Entity&*[]A for entity: Entity&*[]A contains one or more reserved characters.",
-            DisplayName = "Entity name containing reserved character ? fails config validation.")]
+        [DataRow(true, "Entity&*[]A", null, true, "The rest path: Entity&*[]A for entity: Entity&*[]A contains reserved characters that are not allowed in URL paths.",
+            DisplayName = "Entity name containing reserved character &*[] fails config validation.")]
         [DataRow(false, "EntityA", "entityRestPath", true, DisplayName = "Rest path correctly configured as a non-empty string without any reserved characters.")]
         [DataRow(false, "EntityA", "entityRest/?Path", false,
             DisplayName = "Rest path for an entity containing reserved character but with rest disabled passes config validation.")]
+        [DataRow(false, "EntityA", "shopping-cart/item", true,
+            DisplayName = "Rest path with sub-directory passes config validation.")]
+        [DataRow(false, "EntityA", "api/v1/books", true,
+            DisplayName = "Rest path with multiple sub-directories passes config validation.")]
+        [DataRow(true, "EntityA", "entity\\path", true, "The rest path: entity\\path for entity: EntityA contains a backslash (\\). Use forward slash (/) for path separators.",
+            DisplayName = "Rest path with backslash fails config validation with helpful message.")]
+        [DataRow(false, "EntityA", "/entity/path", true,
+            DisplayName = "Rest path with leading slash is trimmed and passes config validation.")]
+        [DataRow(true, "EntityA", "entity//path", true, "The rest path: entity//path for entity: EntityA contains empty path segments. Ensure there are no leading, consecutive, or trailing slashes.",
+            DisplayName = "Rest path with consecutive slashes fails config validation.")]
+        [DataRow(true, "EntityA", "entity/path/", true, "The rest path: entity/path/ for entity: EntityA contains empty path segments. Ensure there are no leading, consecutive, or trailing slashes.",
+            DisplayName = "Rest path with trailing slash fails config validation.")]
+        [DataRow(true, "EntityA", "entity /path", true, "The rest path: entity /path for entity: EntityA contains whitespace which is not allowed in URL paths.",
+            DisplayName = "Rest path with whitespace fails config validation with helpful message.")]
+        [DataRow(true, "EntityA", "entity%3Frest", true, "The rest path: entity%3Frest for entity: EntityA contains percent-encoding (%) which is not allowed. Use literal characters only.",
+            DisplayName = "Rest path with percent-encoded characters fails config validation.")]
+        [DataRow(true, "EntityA", "entity/../path", true, "The rest path: entity/../path for entity: EntityA contains path traversal patterns ('.' or '..') which are not allowed.",
+            DisplayName = "Rest path with dot-dot segments fails config validation.")]
+        [DataRow(true, "EntityA", "entity/./path", true, "The rest path: entity/./path for entity: EntityA contains path traversal patterns ('.' or '..') which are not allowed.",
+            DisplayName = "Rest path with dot segments fails config validation.")]
         public void ValidateRestPathForEntityInConfig(
             bool exceptionExpected,
             string entityName,
diff --git a/src/Service.Tests/UnitTests/RestServiceUnitTests.cs b/src/Service.Tests/UnitTests/RestServiceUnitTests.cs
