I stumbled on something interesting and I want to make sure there is not a security implication. I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team suggested that this is something that should be addressed.
1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos master's address in the browser and it still resolves `/mesos/slaves`. The same applies to anything after `/mesos/state` and I would assume all the other Mesos endpoints following this URL pattern.
Example URLs that resolve when they probably should not:
Benno Evers from the Mesos team let me know this behavior is due to this section of code https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3953
Thanks and let me know if you need anything else from me.