javascript.express.security.audit.possible-user-input-redirect.unknown-value-in-redirect
Community Favorite
semgrep
Author
19,877
Download Count*
License
It looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.
Run Locally
Run in CI
Defintion
rules:
- id: unknown-value-in-redirect
message: It looks like '$UNK' is read from user input and it is used to as a
redirect. Ensure '$UNK' is not externally controlled, otherwise this is an
open redirect.
metadata:
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.5.1 Insecue Redirect
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
version: "4"
category: security
technology:
- express
subcategory:
- audit
likelihood: LOW
impact: LOW
confidence: LOW
references:
- https://owasp.org/Top10/A01_2021-Broken_Access_Control
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Open Redirect
languages:
- javascript
- typescript
severity: WARNING
patterns:
- pattern-either:
- pattern-inside: |
$UNK = query.$B;
...
- pattern-inside: |
$UNK = $A.query.$B;
...
- pattern-inside: |
$UNK = req.$SOMETHING;
...
- pattern: $RES.redirect(..., <... $UNK ...>, ...)
Examples
possible-user-input-redirect.js
/*
* Copyright (c) 2014-2020 Bjoern Kimminich.
* SPDX-License-Identifier: MIT
*/
const utils = require('../lib/utils')
const insecurity = require('../lib/insecurity')
const challenges = require('../data/datacache').challenges
module.exports = function performRedirect () {
return ({ query }, res, next) => {
const toUrl = query.to
if (insecurity.isRedirectAllowed(toUrl)) {
utils.solveIf(challenges.redirectCryptoCurrencyChallenge, () => { return toUrl === 'https://explorer.dash.org/address/Xr556RzuwX6hg5EGpkybbv5RanJoZN17kW' || toUrl === 'https://blockchain.info/address/1AbKfgvw9psQ41NbLi8kufDQTezwG8DRZm' || toUrl === 'https://etherscan.io/address/0x0f933ab9fcaaa782d0279c300d73750e1311eae6' })
utils.solveIf(challenges.redirectChallenge, () => { return isUnintendedRedirect(toUrl) })
// ruleid:unknown-value-in-redirect
res.redirect(toUrl)
} else {
res.status(406)
next(new Error('Unrecognized target URL for redirect: ' + toUrl))
}
}
}
function isUnintendedRedirect (toUrl) {
let unintended = true
for (const allowedUrl of insecurity.redirectWhitelist) {
unintended = unintended && !utils.startsWith(toUrl, allowedUrl)
}
return unintended
}
Short Link: https://sg.run/OPv2