java.lang.security.audit.unvalidated-redirect.unvalidated-redirect
Community Favorite
semgrep
Author
73,396
Download Count*
License
Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.
Run Locally
Run in CI
Defintion
rules:
- id: unvalidated-redirect
message: Application redirects to a destination URL specified by a user-supplied
parameter that is not validated. This could direct users to malicious
locations. Consider using an allowlist to validate URLs.
metadata:
cwe:
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
owasp:
- A01:2021 - Broken Access Control
source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT
asvs:
section: "V5: Validation, Sanitization and Encoding Verification Requirements"
control_id: 5.1.5 Open Redirect
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements
version: "4"
category: security
technology:
- java
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
subcategory:
- vuln
impact: LOW
likelihood: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Open Redirect
severity: WARNING
languages:
- java
pattern-either:
- pattern: |
$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {
...
$RES.sendRedirect($URL);
...
}
- pattern: |
$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {
...
$RES.sendRedirect($URL);
...
}
- pattern: >
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
$RES,...) {
...
String $URL = $REQ.getParameter(...);
...
$RES.sendRedirect($URL);
...
}
- pattern: >
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
$REQ,...) {
...
String $URL = $REQ.getParameter(...);
...
$RES.sendRedirect($URL);
...
}
- pattern: |
$X $METHOD(...,String $URL,...) {
...
HttpServletResponse $RES = ...;
...
$RES.sendRedirect($URL);
...
}
- pattern: >
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
$RES,...) {
...
$RES.sendRedirect($REQ.getParameter(...));
...
}
- pattern: >
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
$REQ,...) {
...
$RES.sendRedirect($REQ.getParameter(...));
...
}
- pattern: |
$X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {
...
$RES.addHeader("Location",$URL);
...
}
- pattern: |
$X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {
...
$RES.addHeader("Location",$URL);
...
}
- pattern: >
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
$RES,...) {
...
String $URL = $REQ.getParameter(...);
...
$RES.addHeader("Location",$URL);
...
}
- pattern: >
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
$REQ,...) {
...
String $URL = $REQ.getParameter(...);
...
$RES.addHeader("Location",$URL);
...
}
- pattern: |
$X $METHOD(...,String $URL,...) {
...
HttpServletResponse $RES = ...;
...
$RES.addHeader("Location",$URL);
...
}
- pattern: >
$X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
$RES,...) {
...
$RES.addHeader("Location",$REQ.getParameter(...));
...
}
- pattern: >-
$X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
$REQ,...) {
...
$RES.addHeader("Location",$REQ.getParameter(...));
...
}
Examples
unvalidated-redirect.java
package testcode;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class UnvalidatedRedirectServlet extends HttpServlet {
@Override
protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
String url = req.getParameter("urlRedirect");
unvalidatedRedirect1(resp, url);
}
// ruleid: unvalidated-redirect
private void unvalidatedRedirect1(HttpServletResponse resp, String url) throws IOException {
if (url != null) {
resp.sendRedirect(url);
}
}
// ruleid: unvalidated-redirect
public void unvalidatedRedirect2(HttpServletResponse resp, String url) {
if (url != null) {
resp.addHeader("Location", url);
}
}
// ruleid: unvalidated-redirect
private void unvalidatedRedirect3(HttpServletRequest req, HttpServletResponse resp) throws IOException {
resp.sendRedirect(req.getParameter("urlRedirect"));
}
// ruleid: unvalidated-redirect
public void unvalidatedRedirect4(HttpServletRequest req, HttpServletResponse resp) {
String url = req.getParameter("urlRedirect");
resp.addHeader("Location", url);
}
// ok: unvalidated-redirect
public void falsePositiveRedirect1(HttpServletResponse resp) throws IOException {
String url = "/Home";
if (url != null) {
resp.sendRedirect(url);
}
}
// ok: unvalidated-redirect
public void falsePositiveRedirect2(HttpServletResponse resp) {
resp.addHeader("Location", "/login.jsp");
}
}
Short Link: https://sg.run/Q51P