ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect
semgrep
Author
unknown
Download Count*
License
When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.
Run Locally
Run in CI
Defintion
rules:
- id: avoid-redirect
metadata:
owasp:
- A01:2021 - Broken Access Control
cwe:
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
references:
- https://brakemanscanner.org/docs/warning_types/redirect/
category: security
technology:
- rails
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: MEDIUM
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Open Redirect
message: When a redirect uses user input, a malicious user can spoof a website
under a trusted URL or access restricted parts of a site. When using
user-supplied values, sanitize the value before using it for the redirect.
languages:
- ruby
severity: WARNING
mode: taint
pattern-sources:
- pattern: params
- pattern: cookies
- pattern: request.env
- patterns:
- pattern: $MODEL.$X(...)
- pattern-not: $MODEL.$X("...")
- metavariable-pattern:
metavariable: $X
pattern-either:
- pattern: all
- pattern: create
- pattern: create!
- pattern: find
- pattern: find_by_sql
- pattern: first
- pattern: last
- pattern: new
- pattern: from
- pattern: group
- pattern: having
- pattern: joins
- pattern: lock
- pattern: order
- pattern: reorder
- pattern: select
- pattern: where
- pattern: find_by
- pattern: find_by!
- pattern: take
pattern-sinks:
- pattern: redirect_to(...)
pattern-sanitizers:
- pattern: params.merge(:only_path => true)
- pattern: params.merge(:host => ...)
Examples
avoid-redirect.rb
# ruleid: avoid-redirect
redirect_to(url_for(params))
# ruleid: avoid-redirect
redirect_to(params[:t])
# ruleid: avoid-redirect
redirect_to(User.where(x))
# ok: avoid-redirect
redirect_to params.merge(:only_path => true)
# ok: avoid-redirect
redirect_to params.merge(:host => 'example_host.com')
Short Link: https://sg.run/5DY3