javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect

Community Favorite
profile photo of semgrepsemgrep
Author
19,877
Download Count*

It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.

Run Locally

Run in CI

Defintion

rules:
  - id: unknown-value-in-redirect
    message: It looks like '$UNK' is read from user input and it is used to as a
      redirect. Ensure '$UNK' is not externally controlled, otherwise this is an
      open redirect.
    metadata:
      owasp:
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
      asvs:
        section: V5 Validation, Sanitization and Encoding
        control_id: 5.5.1 Insecue Redirect
        control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
        version: "4"
      category: security
      technology:
        - express
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      references:
        - https://owasp.org/Top10/A01_2021-Broken_Access_Control
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Open Redirect
    languages:
      - javascript
      - typescript
    severity: WARNING
    patterns:
      - pattern-either:
          - pattern-inside: |
              $UNK = query.$B;
              ...
          - pattern-inside: |
              $UNK = $A.query.$B;
              ...
          - pattern-inside: |
              $UNK = req.$SOMETHING;
              ...
      - pattern: $RES.redirect(..., <... $UNK ...>, ...)

Examples

possible-user-input-redirect.js

/*
 * Copyright (c) 2014-2020 Bjoern Kimminich.
 * SPDX-License-Identifier: MIT
 */

const utils = require('../lib/utils')
const insecurity = require('../lib/insecurity')
const challenges = require('../data/datacache').challenges

module.exports = function performRedirect () {
  return ({ query }, res, next) => {
    const toUrl = query.to
    if (insecurity.isRedirectAllowed(toUrl)) {
      utils.solveIf(challenges.redirectCryptoCurrencyChallenge, () => { return toUrl === 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW' || toUrl === 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm' || toUrl === 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6' })
      utils.solveIf(challenges.redirectChallenge, () => { return isUnintendedRedirect(toUrl) })
      // ruleid:unknown-value-in-redirect
      res.redirect(toUrl)
    } else {
      res.status(406)
      next(new Error('Unrecognized target URL for redirect: ' + toUrl))
    }
  }
}

function isUnintendedRedirect (toUrl) {
  let unintended = true
  for (const allowedUrl of insecurity.redirectWhitelist) {
    unintended = unintended && !utils.startsWith(toUrl, allowedUrl)
  }
  return unintended
}