Link Search Menu Expand Document

Open Redirect in Go Lang

Prevention

Unless the development process is aided by third-party libraries, developers must implement their own solution to determine whether the user-controlled string represents a local path or not. If the list of permitted URLs for redirection is known, implement an allow list of such URLs.

The following solution illustrates how to ensure the URL is relative:

func isLocal(path string) bool {
    return strings.HasPrefix(path, "/") && !strings.HasPrefix(path, "//")
}

It is generally safer to allow only absolute paths, taking care to disallow URLs without protocol that may be able to reach external websites.

References

OWASP - Unvalidated Redirect and Forwards MITRE - CWE 601