New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
findsecbugs:UNVALIDATED_REDIRECT and context path #95
Comments
Great suggestion. It could also be the suggested code in the description for open direct. |
What is "open direct"? |
The analysis does not take conditions in conditional statements into account, so I'm afraid this will stay unsupported in the near future. |
@formanek Considering the follow cases should be safe from Open redirect:
or
or
It is not possible to redirect to another domain using these code because adding an external URL would create : There is one caveat to consider.. /cc @trajano As @formanek mentions it will not be by looking at the condition that this case will be eliminate. |
ya you need to ensure somehow that the redirect URI has been checked to make it was marked as |
One thing I have to fix on mine but need to check as well on findsecbugs. I realize that I don't think we need to check that |
@h3xstream Nice idea, but I'm not sure how to detect prefix in bytecode - maybe something like values between the last call of Tracking what was checked probably would be possible by rewriting some methods of classes, which I'm only extending now, and creating temporary attributes removed at the end of block, but it probably wouldn't be easy and I prefer implementing other improvements earlier (I will open issues for some of them tomorrow). |
@beauchef Please provide a code sample to illustrate your implementation. |
@h3xstream hello Philippe. We ended up ignoring the error. I use Spring Social to create the OAuth2 URL to Google. In OAuth, you have the possibility to pass a state to the OAuth provider. I bundle all the request parameters into this state, to Google, so when Google call me back, I get my state back. But I am redirecting to Google. I don't create the redirect URL myself. So basically, my redirect URL is constructed this way: OAuth2ConnectionFactory connectionFactory =
(OAuth2ConnectionFactory) locator.getConnectionFactory("google");
OAuth2Operations oauthOperations = connectionFactory.getOAuthOperations();
OAuth2Parameters params = new OAuth2Parameters();
params.setScope(scope);
params.setRedirectUri(callbackUrl);
params.setState(state);
String redirectUrl = oauthOperations.buildAuthorizeUrl(GrantType.AUTHORIZATION_CODE, params); The locator is a Spring injected service. The scope and callbackUrl are configurations. The state is the base64 JSON of all the request parameters. So when Google calls me back, I get all the original request parameters. |
I have a redirect that is based on the context path of the request. The context path is not user entered and will be set to whatever the context is being used.
In addition, the URI being assembled with it has already been normalized, verified that it is not absolute and start with a path separator. As such the following code should not trigger the warning.
Full code can be found in
https://github.com/trajano/jaspic-tester/blob/master/test-server-auth-module/src/main/java/net/trajano/auth/TestServerAuthModule.java#L136
There rule finds the error three times in the file.
The text was updated successfully, but these errors were encountered: