redirect-to-request-uri.yaml

rules:
- id: redirect-to-request-uri
  patterns:
  - pattern-either:
    - pattern: |
        header('$LOCATION' . $_SERVER['REQUEST_URI']);
    - pattern: |
        header('$LOCATION' . $_SERVER['REQUEST_URI'] . $MORE);
  - metavariable-regex:
      metavariable: $LOCATION
      regex: '^(?i)location:\s*$'
  message: >-
    Redirecting to the current request URL may redirect to another domain, if
    the current path starts with two slashes. 
    E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI
    is //attacker.com, and redirecting to it will redirect to that domain.
  metadata:
    references:
    - https://www.php.net/manual/en/reserved.variables.server.php
    - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html
    category: security
    technology:
    - php
    owasp:
    - A05:2017 - Broken Access Control
    - A01:2021 - Broken Access Control
    cwe:
    - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
    likelihood: MEDIUM
    impact: LOW
    confidence: MEDIUM
    subcategory:
      - vuln
  languages: [php]
  severity: WARNING