Route parameters could allow code injection

Background

Assume we have 2 routes in our "private" web api (behind a firewall that can only be called by another service service).

GET https://private.com/foo/{id} - Returns our FOO with id = {id}
GET https://private.com/foo/{id}/supersecretstuff - Returns all the sensitive info about FOO with id = {id}

Our public facing service has the following endpoint:
POST https://public.com/get_foos with a body { ids: ['A23', 'B77'] } which returns the contents:

{
   'A23': {/* foo info from https://private.com/foo/A23 */}, 
   'B77': {/* foo info from https://private.com/foo/B77 */} 
}

This is done w/ the following RestSharp code:

var client = new RestClient("https://private.com");
var request = new RestRequest("/foo/{id}", Method.GET);
request.AddParameter("id", model.ids[idx] /*A23*/, ParameterType.UrlSegment);
return client.Execute(request);

The issue:

When the following request is made:

POST https://public.com/get_foos
{
    "ids": ["A23/supersecretstuff"]
}

The rest client will create a request with the URL of https://private.com/foo/A23%2Fsupersecretstuff. Unfortunately, %2F is treated as a segment separator the same as / so the foo/A23/supersecretstuff route is hit instead of foo/A23.

Questions

1. Should RestSharp throw an error when a parameter is added with a / or %2f?
2. Should the client expect to never have an id containing a / and throw an error before it gets set as a request parameter?
3. Is there a HTTP way to include %2f within a url segment? Or a general REST way to include route parameters? (eg. WebAPI optionally allows them either in the path or the query string)

[alexeyzimarev]

I actually just looked at the issue where someone uses the query parameter, which includes the slash sign and it's the intended behaviour (the parameter value is some path), but it is a query parameter. But we can transliterate %2F to slash for URL segment parameters so they would not be encoded...

[alexeyzimarev]

It's got released in 106.11