2020-12-21 15:38:52 +01:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-12-21 15:38:52 +01:00
|
|
|
----
|
2021-11-05 14:12:29 +01:00
|
|
|
function redirect(req, res) {
|
2021-12-13 16:18:55 +01:00
|
|
|
const url = req.query.url; // user-controlled input
|
2020-12-21 15:38:52 +01:00
|
|
|
|
|
|
|
|
res.redirect(url); // Noncompliant
|
|
|
|
|
}
|
2021-11-05 14:12:29 +01:00
|
|
|
|
|
|
|
|
function setLocationHeader(req, res) {
|
2021-12-13 16:18:55 +01:00
|
|
|
const url = req.query.url; // user-controlled input
|
2021-11-05 14:12:29 +01:00
|
|
|
|
|
|
|
|
res.location(url); // Noncompliant
|
|
|
|
|
res.sendStatus(302);
|
|
|
|
|
}
|
2020-12-21 15:38:52 +01:00
|
|
|
----
|
|
|
|
|
|
|
|
|
|
== Compliant Solution
|
|
|
|
|
|
2021-04-26 17:29:13 +02:00
|
|
|
Validate the URL with an allowlist:
|
2020-12-21 15:38:52 +01:00
|
|
|
|
2022-02-04 17:28:24 +01:00
|
|
|
[source,javascript]
|
2020-12-21 15:38:52 +01:00
|
|
|
----
|
|
|
|
|
function isValidUrl(url) {
|
|
|
|
|
if(url.startsWith("https://www.safe.com/")) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2021-11-05 14:12:29 +01:00
|
|
|
function redirect(req, res) {
|
2021-12-13 16:18:55 +01:00
|
|
|
const url = req.query.url; // user-controlled input
|
2020-12-21 15:38:52 +01:00
|
|
|
|
|
|
|
|
if(isValidUrl(url)) {
|
|
|
|
|
res.redirect(url); // Compliant
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
include::../see.adoc[]
|
2021-09-20 15:38:42 +02:00
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
|
|
|
|
|
|
'''
|
|
|
|
|
== Implementation Specification
|
|
|
|
|
(visible only on this page)
|
|
|
|
|
|
|
|
|
|
include::../message.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../highlighting.adoc[]
|
|
|
|
|
|
|
|
|
|
endif::env-github,rspecator-view[]
|
