Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve ruby_rails_open_redirect accuracy #179

Open
gotbadger opened this issue Nov 13, 2023 · 1 comment
Open

Improve ruby_rails_open_redirect accuracy #179

gotbadger opened this issue Nov 13, 2023 · 1 comment
Assignees
@gotbadger
Labels
enhancement New feature or request Ruby

Comments

@gotbadger
Copy link
Contributor

gotbadger commented Nov 13, 2023
edited
Loading

Description & Reproduction

Rails 7 now has open redirect protection meaning the redirect path is evaluated at runtime and external urls are blocked:

https://api.rubyonrails.org/classes/ActionController/Redirecting.html#method-i-redirect_to-label-Open+Redirect+protection

As such we should only flag open redirects that have allow_other_host: true enabled. However we should consider if this is appropriate since some folks may not be on rails 6 or below.

Expected Behavior

redirect_to request.referer, allow_other_host: true

Raises a finding

Actual Behavior

redirect_to request.referer

Raises a finding
@gotbadger gotbadger added bug Something isn't working Ruby labels Nov 13, 2023
@cfabianski
Copy link
Collaborator

Remember we can do this https://github.com/Bearer/bearer-rules/blob/main/rules/javascript/third_parties/dom_purify.yml#L20-L24 :)

@gotbadger gotbadger self-assigned this Feb 22, 2024
@gotbadger gotbadger added enhancement New feature or request and removed bug Something isn't working labels Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gotbadger gotbadger

Labels
enhancement New feature or request Ruby
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cfabianski @gotbadger