[Rest-API] Delete Parameters not checked properly?
I am currently writing a Bachelor Thesis and encountered the following problem.
My Thesis is about automatic testing of Web APIs that are using REST. The basic idea is to (randomly) generate input and call the respective URLs of the Web API.
Im am currently in the preparation of my evaluation (meaning i will execute longer test runs on your Web API). During this preparation it noticed in my test runs that after a while i would get only authorization errors. I tracked down the URL Call that was responsible for this. It looked similar to this
DELETE http://example.com/api/v3/users/1ZUDFTEH?private_token=QVy1PB7sTxfy4pqfZM1U
After this even simple calls to "GET /user" would fail. It turned out that i deleted myself (i was using the standard admin account to avoid authorization issues) and naturally all other calls must fail. Investigating further, this was always the case if my generator would generate a value for the id parameter that was beginning with a "1" followed by a random non numerical string.
Since the id of the admin is 1 my guess is that somehow just the 1 is recognized and the rest of the "id" is ignored while i would expect to get something like ID not found (since e.g 1ZUDFTEH is not a valid ID at all). This may be an issue regarding typos in the id (imaging wanting to delete user 13 but accidentially you slip and write 1e).
Is this intended or is it a bug?