Skip to content

fix: prevent open redirect via redirect query parameter#165

Open
tranquac wants to merge 1 commit intom0bilesecurity:masterfrom
tranquac:fix/open-redirect
Open

fix: prevent open redirect via redirect query parameter#165
tranquac wants to merge 1 commit intom0bilesecurity:masterfrom
tranquac:fix/open-redirect

Conversation

@tranquac
Copy link
Copy Markdown

@tranquac tranquac commented Mar 27, 2026

Summary

Prevent open redirect by validating the redirect query parameter before redirecting.

Problem

The redirect handler passes the user-supplied redirect query parameter directly to res.redirect without validation:

redirect_url = req.query.redirect
return res.redirect(redirect_url);

An attacker can redirect users to malicious external sites:

http://rms-server:5000/endpoint?redirect=https://evil.com/phish

Fix

Validate that the redirect URL is a relative path by rejecting URLs starting with // or containing ://:

if (!redirect_url || redirect_url.startsWith('//') || redirect_url.includes('://')) {
    redirect_url = '/';
}

Impact

  • Type: Open Redirect (CWE-601)
  • Risk: Phishing via trusted domain redirect
  • OWASP: A01:2021 — Broken Access Control

@tranquac
fix: prevent open redirect via redirect query parameter
1c08d62 
Signed-off-by: tranquac <tranquac@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tranquac