Link Search Menu Expand Document

Open Redirect in Ruby

Prevention

Unless the development process is aided by third-party libraries, developers must implement their own solution to determine whether the user-controlled string represents a local path or not. If the list of permitted URLs for redirection is known, implement an allow list of such URLs, as shown below:

allowed_urls = [
  "secureflag.com",
  "owasp.secureflag.com",
]

parsed_host = URI.parse(params[:url]).host

unless allowed_urls.include?(parsed_host)
 raise ActionController::RoutingError
end

It is possible to check whether a URL points to a legitimate route of the application by using Rails.application.routes.recognize_path. The example below defines a custom function post_authentication_redirect_path that uses Rails.application.routes.recognize_path to validate whether url is a valid local route that was invoked by the endpoint’s controller when performing redirections.

def post_authentication_redirect_path(default_path: home_dashboard_index_path)
  path = params[:url] || default_path
  Rails.application.routes.recognize_path(path)
rescue ActionController::RoutingError
  default_path
end

def login
  # If login is successful
  redirect_to post_authentication_redirect_path
end

References

OWASP - Unvalidated Redirect and Forwards MITRE - CWE 601