java.lang.security.audit.unvalidated-redirect.unvalidated-redirect

Community Favorite
profile photo of returntocorpreturntocorp
Author
73,396
Download Count*

Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.

Run Locally

Run in CI

Defintion

rules:
  - id: unvalidated-redirect
    message: Application redirects to a destination URL specified by a user-supplied
      parameter that is not validated. This could direct users to malicious
      locations. Consider using an allowlist to validate URLs.
    metadata:
      cwe:
        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT
      asvs:
        section: "V5: Validation, Sanitization and Encoding Verification Requirements"
        control_id: 5.1.5 Open Redirect
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation-requirements
        version: "4"
      category: security
      technology:
        - java
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - vuln
      impact: LOW
      likelihood: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: WARNING
    languages:
      - java
    pattern-either:
      - pattern: |
          $X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {
            ...
            $RES.sendRedirect($URL);
            ...
          }
      - pattern: |
          $X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {
            ...
            $RES.sendRedirect($URL);
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
          $RES,...) {
            ...
            String $URL = $REQ.getParameter(...);
            ...
            $RES.sendRedirect($URL);
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
          $REQ,...) {
            ...
            String $URL = $REQ.getParameter(...);
            ...
            $RES.sendRedirect($URL);
            ...
          }
      - pattern: |
          $X $METHOD(...,String $URL,...) {
            ...
            HttpServletResponse $RES = ...;
            ...
            $RES.sendRedirect($URL);
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
          $RES,...) {
            ...
            $RES.sendRedirect($REQ.getParameter(...));
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
          $REQ,...) {
            ...
            $RES.sendRedirect($REQ.getParameter(...));
            ...
          }
      - pattern: |
          $X $METHOD(...,HttpServletResponse $RES,...,String $URL,...) {
            ...
            $RES.addHeader("Location",$URL);
            ...
          }
      - pattern: |
          $X $METHOD(...,String $URL,...,HttpServletResponse $RES,...) {
            ...
            $RES.addHeader("Location",$URL);
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
          $RES,...) {
            ...
            String $URL = $REQ.getParameter(...);
            ...
            $RES.addHeader("Location",$URL);
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
          $REQ,...) {
            ...
            String $URL = $REQ.getParameter(...);
            ...
            $RES.addHeader("Location",$URL);
            ...
          }
      - pattern: |
          $X $METHOD(...,String $URL,...) {
            ...
            HttpServletResponse $RES = ...;
            ...
            $RES.addHeader("Location",$URL);
            ...
          }
      - pattern: >
          $X $METHOD(...,HttpServletRequest $REQ,...,HttpServletResponse
          $RES,...) {
            ...
            $RES.addHeader("Location",$REQ.getParameter(...));
            ...
          }
      - pattern: >-
          $X $METHOD(...,HttpServletResponse $RES,...,HttpServletRequest
          $REQ,...) {
            ...
            $RES.addHeader("Location",$REQ.getParameter(...));
            ...
          }

Examples

unvalidated-redirect.java

package testcode;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class UnvalidatedRedirectServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        String url = req.getParameter("urlRedirect");
        unvalidatedRedirect1(resp, url);
    }

    // ruleid: unvalidated-redirect
    private void unvalidatedRedirect1(HttpServletResponse resp, String url) throws IOException {
        if (url != null) {
            resp.sendRedirect(url);
        }
    }

    // ruleid: unvalidated-redirect
    public void unvalidatedRedirect2(HttpServletResponse resp, String url) {
        if (url != null) {
            resp.addHeader("Location", url);
        }
    }

    // ruleid: unvalidated-redirect
    private void unvalidatedRedirect3(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        resp.sendRedirect(req.getParameter("urlRedirect"));
    }

    // ruleid: unvalidated-redirect
    public void unvalidatedRedirect4(HttpServletRequest req, HttpServletResponse resp) {
        String url = req.getParameter("urlRedirect");
        resp.addHeader("Location", url);
    }

    // ok: unvalidated-redirect
    public void falsePositiveRedirect1(HttpServletResponse resp) throws IOException {
        String url = "/Home";
        if (url != null) {
            resp.sendRedirect(url);
        }
    }

    // ok: unvalidated-redirect
    public void falsePositiveRedirect2(HttpServletResponse resp) {
        resp.addHeader("Location", "/login.jsp");
    }
}