java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect

Community Favorite
profile photo of semgrepsemgrep
Author
50,751
Download Count*

Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.

Run Locally

Run in CI

Defintion

rules:
  - id: spring-unvalidated-redirect
    message: Application redirects a user to a destination URL specified by a user
      supplied parameter that is not validated.
    metadata:
      cwe:
        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
      owasp:
        - A01:2021 - Broken Access Control
      source-rule-url: https://find-sec-bugs.github.io/bugs.htm#UNVALIDATED_REDIRECT
      category: security
      technology:
        - spring
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Open Redirect
    severity: WARNING
    languages:
      - java
    pattern-either:
      - pattern: |
          $X $METHOD(...,String $URL,...) {
            return "redirect:" + $URL;
          }
      - pattern: |
          $X $METHOD(...,String $URL,...) {
            ...
            String $REDIR = "redirect:" + $URL;
            ...
            return $REDIR;
            ...
          }
      - pattern: |
          $X $METHOD(...,String $URL,...) {
            ...
            new ModelAndView("redirect:" + $URL);
            ...
          }
      - pattern: |-
          $X $METHOD(...,String $URL,...) {
            ...
            String $REDIR = "redirect:" + $URL;
            ...
            new ModelAndView($REDIR);
            ...
          }

Examples

spring-unvalidated-redirect.java

package testcode.spring;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.servlet.ModelAndView;

@Controller
public class SpringUnvalidatedRedirectController {

    // ruleid: spring-unvalidated-redirect
    @RequestMapping("/redirect1")
    public String redirect1(@RequestParam("url") String url) {
        return "redirect:" + url;
    }

    // ruleid: spring-unvalidated-redirect
    @RequestMapping("/redirect2")
    public String redirect2(@RequestParam("url") String url) {
        String view = "redirect:" + url;
        return view;
    }

    @RequestMapping("/redirect3")
    public String redirect3(@RequestParam("url") String url) {
        return buildRedirect(url);
    }

    // ruleid: spring-unvalidated-redirect
    private String buildRedirect(String u) {
        return "redirect:" + u;
    }

    // ruleid: spring-unvalidated-redirect
    @RequestMapping("/redirect4")
    public ModelAndView redirect4(@RequestParam("url") String url) {
        return new ModelAndView("redirect:" + url);
    }

    // ruleid: spring-unvalidated-redirect
    @RequestMapping("/redirect5")
    public ModelAndView redirect5(@RequestParam("url") String url) {
        String view = "redirect:" + url;
        return new ModelAndView(view);
    }

    // ok: spring-unvalidated-redirect
    @RequestMapping("/redirectfp")
    public String redirectfp() {
        return "redirect:/";
    }
}