DeepSource
Dashboard Resources Pricing Discover Directory Log in

Run your first analysis.

Find thousands of code security and quality issues in your codebase, before they end up in production.

Start now
Go

Go

Made by DeepSource
Use Analyzer

Incomplete Redirect URL validation GO-S1005

Security
Major
 Autofix a03 cwe-601 owasp top 10

Redirect URLs should be carefully vetted to ensure that malicious user input cannot cause a site to redirect to arbitrary domains.

Often the validation is done by checking that the redirect URL begins with a /, which is usually an absolute redirect on the same host. But, browsers interpret URLs starting with // or /\ as complete URLs and hence a redirect to //deepsource.io will redirect to https://deepsource.io, which should be avoided as the URL could be malicious as well. Thus, redirect checks must also check the second character of redirect URLs and, if present, sanitize the URL.

Bad practice

func sanitizeURL(URL string) string {
    if len(URL) > 0 && URL[0] == '/' {
        return URL
    }
    return "/"
}

Recommended

func sanitizeURL(URL string) string {
    if len(URL) > 1 && URL[0] == '/' && URL[1] != '/' && URL[1] != '\' {
        return URL
    }
    return "/"
}

References