• CodeQL query help documentation »
• CodeQL query help for JavaScript and TypeScript »

Server-side URL redirect

ID: js/server-side-unvalidated-url-redirection Kind: path-problem Security severity: 6.1 Severity: warning Precision: high Tags: - security - external/cwe/cwe-601 Query suites: - javascript-code-scanning.qls - javascript-security-extended.qls - javascript-security-and-quality.qls 

Click to see the query in the CodeQL repository

Directly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.

Recommendation

To guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.

If this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL is on the same host as the current page.

Example

The following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:

constapp=require("express")();app.get("/redirect",function(req,res){// BAD: a request parameter is incorporated without validation into a URL redirectres.redirect(req.query["target"]);});

One way to remedy the problem is to validate the user input against a known fixed string before doing the redirection:

constapp=require("express")();constVALID_REDIRECT="http://cwe.mitre.org/data/definitions/601.html";app.get("/redirect",function(req,res){// GOOD: the request parameter is validated against a known fixed stringlettarget=req.query["target"];if(VALID_REDIRECT===target){res.redirect(target);}else{res.redirect("/");}});

Alternatively, we can check that the target URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same:

constapp=require("express")();functionisLocalUrl(path){try{return(// TODO: consider substituting your own domain for example.comnewURL(path,"https://example.com").origin==="https://example.com");}catch(e){returnfalse;}}app.get("/redirect",function(req,res){// GOOD: check that we don't redirect to a different hostlettarget=req.query["target"];if(isLocalUrl(target)){res.redirect(target);}else{res.redirect("/");}});

Note that as written, the above code will allow redirects to URLs on example.com, which is harmless but perhaps not intended. You can substitute your own domain (if known) for example.com to prevent this.

References

• OWASP: XSS Unvalidated Redirects and Forwards Cheat Sheet.

• Common Weakness Enumeration: CWE-601.

• © GitHub, Inc.
• Terms
• Privacy