Roundup Tracker - Issues

Message6940

Author rouilj
Recipients antmail, rouilj
Date 2020-08-13.02:48:03
Message-id <1597286883.93.0.445343641001.issue2550951@roundup.psfhosted.org>
In-reply-to
Consider:

  
https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html

* Where possible, have the user provide short name, ID or token which 
is mapped server-side to a full target URL.

  *    This provides the highest degree of protection against the 
attack tampering with the URL.
  *    Be careful that this doesn't introduce an enumeration 
vulnerability where a user could cycle through IDs to find all 
possible redirect targets

by prepending the site url, I am attempting to use a short name in the 
redirect. This also recommends:

Validating URLs

When attempting to validate and sanitise user-input to determine 
whether the URL is safe, wherever possible you should use a built-in 
library or function to parse the URLs, such as parse_url() in PHP, 
rather than rolling your own parser using regex. Additionally, make 
sure that you take the following into account:

    Input starting with a / to redirect to local pages is not safe. 
//example.org is a valid URL.
    Input starting with the desired domain name is not safe. 
https://example.org.attacker.com is valid.
    Only allow HTTP(S) protocols. All other protocols, including 
JavaScript URIs such as javascript:alert(1) should be blocked
    Data URIs such as data:text/html,<script>alert(document.domain)
</script> should be blocked

I think my technique is guarding against all of these, but it needs to 
be tested.
History
Date User Action Args
2020-08-13 02:48:03rouiljsetmessageid: <1597286883.93.0.445343641001.issue2550951@roundup.psfhosted.org>
2020-08-13 02:48:03rouiljsetrecipients: + rouilj, antmail
2020-08-13 02:48:03rouiljlinkissue2550951 messages
2020-08-13 02:48:03rouiljcreate