gitlab.find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1
unknown
Download Count*
License
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
Run Locally
Run in CI
Defintion
rules:
- id: find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1
patterns:
- pattern-either:
- patterns:
- pattern: (HttpServletResponse $REQ).sendRedirect(...)
- pattern-not: (HttpServletResponse $REQ).sendRedirect("...")
- patterns:
- pattern: (HttpServletResponse $REQ).addHeader(...)
- pattern-not: (HttpServletResponse $REQ).addHeader("...", "...")
- patterns:
- pattern: (HttpServletResponse $REQ).encodeURL(...)
- pattern-not: (HttpServletResponse $REQ).encodeURL("...")
- patterns:
- pattern: (HttpServletResponse $REQ).encodeRedirectUrl(...)
- pattern-not: (HttpServletResponse $REQ).encodeRedirectUrl("...")
languages:
- java
message: >
Unvalidated redirects occur when an application redirects a user to a
destination URL specified by a user supplied parameter that is not validated.
Such vulnerabilities can be used to facilitate phishing attacks.
metadata:
category: security
cwe: "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
primary_identifier: find_sec_bugs.UNVALIDATED_REDIRECT-1.URL_REWRITING-1
secondary_identifiers:
- name: Find Security Bugs-UNVALIDATED_REDIRECT
type: find_sec_bugs_type
value: UNVALIDATED_REDIRECT
- name: Find Security Bugs-URL_REWRITING
type: find_sec_bugs_type
value: URL_REWRITING
license: MIT
severity: ERROR
Short Link: https://sg.run/PPWE