rspec/rules/S2085/rule.adoc

Web applicaitons that send redirects should neutralize any values taken from a request before using them in redirects. Failing to do so could make it easier for attackers to launch phishing attacks from your site.


This rule checks that values extracted from a request are not unconditionally used directly in a redirect or other header fields.


== Noncompliant Code Example

[source,text]
----
protected void doGet(HttpServletRequest request, HttpServletResponse response) 
      throws ServletException, IOException {
  // ...
  String url = request.getParameter("url");
  response.sendRedirect(url);  // Noncompliant; request value used directly in redirect
----


== Compliant Solution

[source,text]
----
protected void doGet(HttpServletRequest request, HttpServletResponse response) 
      throws ServletException, IOException {
  // ...
  String url = request.getParameter("url");
  if (url.matches(OKAY_URL_REGEX)) {
    response.sendRedirect(url);  // Compliant; value used conditionally
  }
----
or

[source,text]
----
protected void doGet(HttpServletRequest request, HttpServletResponse response) 
      throws ServletException, IOException {
  // ...
  String url = request.getParameter("url");
  response.sendRedirect(scrubRedirect(url));  // Compliant; method presumed to sanitize input
----


== See

* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)[OWASP Top 10 2017 Category A7] - Cross-Site Scripting (XSS)
* https://cwe.mitre.org/data/definitions/601[MITRE, CWE-601] - URL Redirection to Untrusted Site
* https://www.sans.org/top25-software-errors/#cat1[SANS Top 25] - Insecure Interaction Between Components
* Derived from FindSecBugs rule https://h3xstream.github.io/find-sec-bugs/bugs.htm#UNVALIDATED_REDIRECT[Unvalidated Redirect]