DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Open URL Redirect GO-S1003

Security
Major
 a03 cwe-601 owasp top 10

Incorporating user input into a URL redirect request without validating the input can encourage phishing attacks. In these attacks, attackers can redirect unsuspecting users to a malicious site that looks very similar to the actual site they intend to visit, but the attacker controls it.

To guard against untrusted URL redirection, it is advisable to avoid including user input directly into a redirect URL or maintain a list of authorized redirects on the server and choose them based on user input.

Bad practice

func serve() {
    http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
        r.ParseForm()
        http.Redirect(w, r, r.Form.Get("TARGET"), http.StatusFound)
    })
}

Recommended

func serve() {
    http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
        r.ParseForm()
        target, err := url.Parse(r.Form.Get("TARGET"))
        if err != nil {
            log.Println("URL parse:", err)
        }

        // Much safer as only a very small set authorized redirects
        switch target.Hostname() {
        case "deepsource.io":
            http.Redirect(w, r, target.String(), http.StatusFound)
        case "xyz":
            http.Redirect(w, r, "xyz", http.StatusFound)
        default:
            // ...
        }
    })
}

References