URL redirection from remote source¶
ID: rb/url-redirection Kind: path-problem Severity: error Precision: high Tags: - security - external/cwe/cwe-601 Query suites: - ruby-code-scanning.qls - ruby-security-extended.qls - ruby-security-and-quality.qls
Directly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.
To guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.
The following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:
class HelloController < ActionController::Base def hello redirect_to params[:url] end end
One way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:
class HelloController < ActionController::Base VALID_REDIRECT = "http://cwe.mitre.org/data/definitions/601.html" def hello if params[:url] == VALID_REDIRECT redirect_to params[:url] else # error end end end
Rails Guides: Redirection and Files.
Common Weakness Enumeration: CWE-601.