ruby.rails.security.audit.xss.avoid-redirect.avoid-redirect

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

When a redirect uses user input, a malicious user can spoof a website under a trusted URL or access restricted parts of a site. When using user-supplied values, sanitize the value before using it for the redirect.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: avoid-redirect
    metadata:
      owasp:
        - A01:2021 - Broken Access Control
      cwe:
        - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
      references:
        - https://brakemanscanner.org/docs/warning_types/redirect/
      category: security
      technology:
        - rails
      subcategory:
        - vuln
      likelihood: MEDIUM
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Open Redirect
    message: When a redirect uses user input, a malicious user can spoof a website
      under a trusted URL or access restricted parts of a site. When using
      user-supplied values, sanitize the value before using it for the redirect.
    languages:
      - ruby
    severity: WARNING
    mode: taint
    pattern-sources:
      - pattern: params
      - pattern: cookies
      - pattern: request.env
      - patterns:
          - pattern: $MODEL.$X(...)
          - pattern-not: $MODEL.$X("...")
          - metavariable-pattern:
              metavariable: $X
              pattern-either:
                - pattern: all
                - pattern: create
                - pattern: create!
                - pattern: find
                - pattern: find_by_sql
                - pattern: first
                - pattern: last
                - pattern: new
                - pattern: from
                - pattern: group
                - pattern: having
                - pattern: joins
                - pattern: lock
                - pattern: order
                - pattern: reorder
                - pattern: select
                - pattern: where
                - pattern: find_by
                - pattern: find_by!
                - pattern: take
    pattern-sinks:
      - pattern: redirect_to(...)
    pattern-sanitizers:
      - pattern: params.merge(:only_path => true)
      - pattern: params.merge(:host => ...)

Examples

avoid-redirect.rb

# ruleid: avoid-redirect
redirect_to(url_for(params))

# ruleid: avoid-redirect
redirect_to(params[:t])

# ruleid: avoid-redirect
redirect_to(User.where(x))

# ok: avoid-redirect
redirect_to params.merge(:only_path => true)

# ok: avoid-redirect
redirect_to params.merge(:host => 'example_host.com')