A string interpolation, seen as a sanitizer for “URL redirection” vulnerabilities.
String interpolation is considered safe, provided the string is prefixed by a non-tainted value. In most cases this will prevent the tainted value from controlling e.g. the host of the URL.
For example:
redirect_to "/users/#{params[:key]}" # safe
redirect_to "#{params[:key]}/users" # unsafe
There are prefixed interpolations that are not safe, e.g.
redirect_to "foo#{params[:key]}/users" # => "foo-malicious-site.com/users"
We currently don’t catch these cases.
Import path
import codeql.ruby.security.UrlRedirectCustomizationsDirect supertypes
Inherited predicates
| asCallable | Gets the callable corresponding to this block, lambda expression, or call to | from Node |
| asExpr | Gets the expression corresponding to this node, if any. | from Node |
| asParameter | Gets the parameter corresponding to this node, if any. | from Node |
| backtrack | Starts backtracking from this node using API graphs. | from Node |
| getALocalSource | Gets a local source node from which data may flow to this node in zero or more local data-flow steps. | from Node |
| getAPredecessor | Gets a data flow node from which data may flow to this node in one local step. | from Node |
| getASuccessor | Gets a data flow node to which data may flow from this node in one local step. | from Node |
| getConstantValue | Gets the constant value of this expression, if any. | from Node |
| getEnclosingMethod | Gets the enclosing method, if any. | from Node |
| getLocation | Gets the location of this node. | from Node |
| hasLocationInfo | Holds if this element is at the specified location. The location spans column | from Node |
| toString | Gets a textual representation of this node. | from Node |