rspec/rules/S5146/php/rule.adoc

User-provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications performing HTTP redirects based on tainted data could enable an attacker to redirect users to a malicious site to, for example, steal login credentials.


This problem could be mitigated in any of the following ways:

* Validate the user-provided data based on a whitelist and reject input not matching.
* Redesign the application to not perform redirects based on user-provided data.

== Noncompliant Code Example

Symfony

[source,php]
----
public function redirect(Request $request)
{
  $url = $request->query->get('url');
  return $this->redirect($url); // Noncompliant
}

public function setLocatioHeader(Request $request)
{
  $url = $request->query->get('url');
  $response = new Response('Redirecting...', 302);
  $response->headers->set('Location', $url); // Noncompliant
  return $response;
}
----

Laravel
[source,php]
----
public function redirect(Request $request)
{
  $url = $request->input('url');
  return $this->redirect($url); // Noncompliant
}

public function setLocatioHeader(Request $request)
{
  $url = $request->input('url');
  return response("", 302)
    ->header('Location', $url) // Noncompliant
}
----

== Compliant Solution

Symfony

[source,php]
----
public function redirect(Request $request)
{
  $url = $request->query->get('url');
  $allowedUrls = ["/index", "/login", "/logout"];

  if (in_array($url, $allowedUrls, true)) {
    return $this->redirect($url);
  } else {
    $this->redirect("/");
  }
}
----

Laravel
[source,php]
----
public function redirect(Request $request)
{
  $url = $request->input('url');
  $allowedUrls = ["/index", "/login", "/logout"];

  if (in_array($url, $allowedUrls, true)) {
    return $this->redirect($url);
  } else {
    return redirect("/");
  }
}
----

include::../see.adoc[]
ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::../highlighting.adoc[]

endif::env-github,rspecator-view[]
Modify Rules: Multiple typo on missing hyphens (#660) 2021-12-13 16:18:55 +01:00			`User-provided data, such as URL parameters, POST data payloads, or cookies, should always be considered untrusted and tainted. Applications performing HTTP redirects based on tainted data could enable an attacker to redirect users to a malicious site to, for example, steal login credentials.`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00

			`This problem could be mitigated in any of the following ways:`

Modify Rules: Multiple typo on missing hyphens (#660) 2021-12-13 16:18:55 +01:00			`* Validate the user-provided data based on a whitelist and reject input not matching.`
			`* Redesign the application to not perform redirects based on user-provided data.`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
			`== Noncompliant Code Example`

Modify rule S5146 - Support Location header (#315) 2021-11-05 14:12:29 +01:00			`Symfony`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
Modify rule S5146 - Support Location header (#315) 2021-11-05 14:12:29 +01:00			`public function redirect(Request $request)`
			`{`
			`$url = $request->query->get('url');`
			`return $this->redirect($url); // Noncompliant`
			`}`

			`public function setLocatioHeader(Request $request)`
			`{`
			`$url = $request->query->get('url');`
			`$response = new Response('Redirecting...', 302);`
			`$response->headers->set('Location', $url); // Noncompliant`
			`return $response;`
			`}`
			`----`

			`Laravel`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Modify rule S5146 - Support Location header (#315) 2021-11-05 14:12:29 +01:00			`----`
			`public function redirect(Request $request)`
			`{`
			`$url = $request->input('url');`
			`return $this->redirect($url); // Noncompliant`
			`}`

			`public function setLocatioHeader(Request $request)`
			`{`
			`$url = $request->input('url');`
			`return response("", 302)`
			`->header('Location', $url) // Noncompliant`
			`}`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`

			`== Compliant Solution`

Modify rule S5146 - Support Location header (#315) 2021-11-05 14:12:29 +01:00			`Symfony`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Modify rule S5146 - Support Location header (#315) 2021-11-05 14:12:29 +01:00			`----`
			`public function redirect(Request $request)`
			`{`
			`$url = $request->query->get('url');`
			`$allowedUrls = ["/index", "/login", "/logout"];`

			`if (in_array($url, $allowedUrls, true)) {`
			`return $this->redirect($url);`
			`} else {`
			`$this->redirect("/");`
			`}`
			`}`
			`----`

			`Laravel`
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,php]`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
Modify rule S5146 - Support Location header (#315) 2021-11-05 14:12:29 +01:00			`public function redirect(Request $request)`
			`{`
			`$url = $request->input('url');`
			`$allowedUrls = ["/index", "/login", "/logout"];`

			`if (in_array($url, $allowedUrls, true)) {`
			`return $this->redirect($url);`
			`} else {`
			`return redirect("/");`
			`}`
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`}`
			`----`

			`include::../see.adoc[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::../highlighting.adoc[]`

			`endif::env-github,rspecator-view[]`