Unsanitized user input in redirect

• Rule ID: ruby_rails_open_redirect
• Languages: ruby
• Source: open_redirect.yml

Description

A redirect using unsanitized user input is bad practice and puts your application at greater risk of phishing attacks.

Remediations

❌ Do not use unsanitized user input when constructing redirect URLs

✅ Instead, ensure the input is validated by using a safe list or a mapping

  transport_path = case params[:transport_type]
    when "planes"
      planes_path
    when "trains"
      trains_path
    when "automobiles"
      automobiles_path
    default
      root
    end

  redirect_to transport_path

Resources

• OWASP open redirect

Associated CWE

• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

OWASP Top 10

• A01:2021 - Broken Access Control

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=ruby_rails_open_redirect

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=ruby_rails_open_redirect