safe redirect_to (open redirector)
瀏覽次數:23 次
跳到第一則未讀訊息
Mike Campbell
2016年8月8日 上午11:46:422016/8/8
收件者:Ruby on Rails: Core
Sometimes apps have some functionality that introduces an open redirector, what I mean by that is that it will redirect to a URL supplied by the user in the parameters. This is unsafe for a number of reasons; phishing, XSS, see here: https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet#Redirects_and_Forwards
The common solution is to have a whitelist of permitted hosts or URIs (as with OAuth 2.0 https://tools.ietf.org/html/rfc6819#section-5.2.3.5). Is this something that you might be interested having built into Rails if I was to submit a PR? I was thinking something along the lines of:
and then any time redirect_to is called the host is automatically validated against the whitelist and probably an error raised if validation fails? maybe some protocol validation too.
The impotus behind bringing it into Rails would be to standardize on it, as it's security related, ensuring best practice for all users.
The common solution is to have a whitelist of permitted hosts or URIs (as with OAuth 2.0 https://tools.ietf.org/html/rfc6819#section-5.2.3.5). Is this something that you might be interested having built into Rails if I was to submit a PR? I was thinking something along the lines of:
config.whitelisted_redirect_hosts = %w{*.app.net auth.company.org}and then any time redirect_to is called the host is automatically validated against the whitelist and probably an error raised if validation fails? maybe some protocol validation too.
The impotus behind bringing it into Rails would be to standardize on it, as it's security related, ensuring best practice for all users.
回覆所有人
回覆作者
轉寄
0 則新訊息