rspec/rules/S5144/common/pitfalls/starts-with.adoc

==== The trap of 'StartsWith' and equivalents

When validating untrusted URLs by checking if they start with a trusted scheme
and authority pair `scheme://authority`, **ensure that the validation string
contains a path separator `/` as the last character**. +

If the validation string does not contain a terminating path separator, the
SSRF vulnerability remains; only the exploitation technique changes.

Thus, a validation like `startsWith("https://example.com")` or an equivalent
with the regex `^https://example\.com.*` can be exploited with the following
URL `https://example.commit.malicious.io`.
Modify Education Rules S514{4,6}: Add trailing slash pitfall (#1262) 2022-09-15 14:25:49 +02:00			`==== The trap of 'StartsWith' and equivalents`

			`When validating untrusted URLs by checking if they start with a trusted scheme`
			and authority pair `scheme://authority`, **ensure that the validation string
			contains a path separator `/` as the last character**. +

			`If the validation string does not contain a terminating path separator, the`
			`SSRF vulnerability remains; only the exploitation technique changes.`

			Thus, a validation like `startsWith("https://example.com")` or an equivalent
			with the regex `^https://example\.com.*` can be exploited with the following
			URL `https://example.commit.malicious.io`.