Currently customers don't have any way of exempting urls from path traversal checks. It is configurable in Confluence Core and requires Confluence code changes.

Adding a configurable module descriptor in atlassian-plugin.xml could be a potential long term fix, but it involves risk of allowing path traversal in unrelated urls. 

Recommended approach is escaping path traversal strings so they won't be rejected by Confluence path traversal filter.

Request for DoS

Determine the long-term solution for apps to declare an allowlist on their side, instead of maintaining one on the product side.

Let me know if any other information is needed.