Redirect URLs should be carefully vetted to ensure that malicious user input cannot cause a site to redirect to arbitrary domains.
Often the validation is done by checking that the redirect URL begins with a
/
, which is usually an absolute redirect on the same host. But, browsers
interpret URLs starting with //
or /\
as complete URLs and hence a redirect
to //deepsource.io
will redirect to https://deepsource.io
, which should be
avoided as the URL could be malicious as well. Thus, redirect checks must also
check the second character of redirect URLs and, if present, sanitize the URL.
func sanitizeURL(URL string) string {
if len(URL) > 0 && URL[0] == '/' {
return URL
}
return "/"
}
func sanitizeURL(URL string) string {
if len(URL) > 1 && URL[0] == '/' && URL[1] != '/' && URL[1] != '\' {
return URL
}
return "/"
}