[Feature]: This release introduces strict query parameter validation in the API Proxy to prevent query parameter injection into downstream SAP requests. The change addresses an issue where encoded characters (e.g., %26 for &) could be used to pass additional parameters.
Allows only below-listed query parameters, and any additional parameters passed on request are dropped
- sap-client: Exactly 3 digits
- sap-sessioncmd: Must be cancel
- sap-language: Exactly 2 characters
- link-function: Must be auth-payload
- saml2: Must be disabled
- tabs: Letters only
- key: String or the literal $*$
- expirationSeconds: Positive integer 1..2147483647
- cid: Alphanumeric less than or equal to 10 characters