JavaScript: Improve query help for js/server-side-unvalidated-url-redirection.

2026-04-25 16:55:19 +02:00 · 2023-07-18 15:55:11 +01:00
parent ab1f341aa6
commit 7823ff968c
8 changed files with 73 additions and 5 deletions
--- a/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
+++ b/javascript/ql/src/Security/CWE-601/ServerSideUrlRedirect.qhelp
@@ -16,6 +16,10 @@ To guard against untrusted URL redirection, it is advisable to avoid putting use
 directly into a redirect URL. Instead, maintain a list of authorized
 redirects on the server; then choose from that list based on the user input provided.
 </p>
+<p>
+If this is not possible, then the user input should be validated in some other way,
+for example by verifying that the target URL is on the same host as the current page.
+</p>
 </recommendation>

 <example>
@@ -32,6 +36,13 @@ before doing the redirection:
 </p>

 <sample src="examples/ServerSideUrlRedirectGood.js"/>
+
+<p>
+Alternatively, we can check that the target URL does not redirect to a different host:
+</p>
+
+<sample src="examples/ServerSideUrlRedirectGood2.js"/>
+
 </example>

 <references>
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirect.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirect.js
@@ -1,6 +1,6 @@
 const app = require("express")();

-app.get('/some/path', function(req, res) {
+app.get('/redirect', function(req, res) {
  // BAD: a request parameter is incorporated without validation into a URL redirect
-  res.redirect(req.param("target"));
+  res.redirect(req.params["target"]);
 });
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood.js
@@ -2,9 +2,12 @@ const app = require("express")();

 const VALID_REDIRECT = "http://cwe.mitre.org/data/definitions/601.html";

-app.get('/some/path', function(req, res) {
+app.get('/redirect', function(req, res) {
  // GOOD: the request parameter is validated against a known fixed string
-  let target = req.param("target");
-  if (VALID_REDIRECT === target)
+  let target = req.params["target"]
+  if (VALID_REDIRECT === target) {
    res.redirect(target);
+  } else {
+    res.redirect("/");
+  }
 });
--- a/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
+++ b/javascript/ql/src/Security/CWE-601/examples/ServerSideUrlRedirectGood2.js
@@ -0,0 +1,15 @@
+const app = require("express")();
+
+function isLocalUrl(url) {
+  return url.startsWith("/") && !url.startsWith("//") && !url.startsWith("/\\");
+}
+
+app.get('/redirect', function(req, res) {
+  // GOOD: check that we don't redirect to a different host
+  let target = req.params["target"];
+  if (isLocalUrl(target)) {
+    res.redirect(target);
+  } else {
+    res.redirect("/");
+  }
+});