Skip to content

findsecbugs:UNVALIDATED_REDIRECT and context path #95

@trajano

Description

@trajano

I have a redirect that is based on the context path of the request. The context path is not user entered and will be set to whatever the context is being used.

In addition, the URI being assembled with it has already been normalized, verified that it is not absolute and start with a path separator. As such the following code should not trigger the warning.

    final URI stateUri = URI.create(state).normalize();
    if (stateUri.isAbsolute()) {
        throw new AuthException("'state' must not be an absolute URI");
    }
    if (!stateUri.getPath().startsWith("/")) {
        throw new AuthException("'state' must start with '/'");
    }
   resp.sendRedirect(URI.create(req.getContextPath() + stateUri.toASCIIString()).normalize().toASCIIString());

Full code can be found in

https://github.com/trajano/jaspic-tester/blob/master/test-server-auth-module/src/main/java/net/trajano/auth/TestServerAuthModule.java#L136

There rule finds the error three times in the file.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or improvement to existing detector.false-positiveSomething that should not report.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions