Python: Mention more sanitisation options in py/url-redirection qhelp.

[max-schaefer]

/cc @erik-krogh

[github-actions]

QHelp previews:

python/ql/src/Security/CWE-601/UrlRedirect.qhelp

URL redirection from remote source

Directly incorporating user input into a URL redirect request without validating the input can facilitate phishing attacks. In these attacks, unsuspecting users can be redirected to a malicious site that looks very similar to the real site they intend to visit, but which is controlled by the attacker.

Recommendation

To guard against untrusted URL redirection, it is advisable to avoid putting user input directly into a redirect URL. Instead, maintain a list of authorized redirects on the server; then choose from that list based on the user input provided.

If this is not possible, then the user input should be validated in some other way, for example, by verifying that the target URL does not include an explicit host name.

Example

The following example shows an HTTP request parameter being used directly in a URL redirect without validating the input, which facilitates phishing attacks:

from flask import Flask, request, redirect

app = Flask(__name__)

@app.route('/')
def hello():
    target = request.args.get('target', '')
    return redirect(target, code=302)

If you know the set of valid redirect targets, you can maintain a list of them on the server and check that the user input is in that list:

from flask import Flask, request, redirect

VALID_REDIRECT = "http://cwe.mitre.org/data/definitions/601.html"

app = Flask(__name__)

@app.route('/')
def hello():
    target = request.args.get('target', '')
    if target == VALID_REDIRECT:
        return redirect(target, code=302)
    else:
        # ignore the target and redirect to the home page
        return redirect('/', code=302)

Often this is not possible, so an alternative is to check that the target URL does not specify an explicit host name. For example, the Django framework provides a function url_has_allowed_host_and_scheme that can be used to check that a URL is safe to redirect to, as shown in the following example:

from django.http import HttpResponseRedirect
from django.shortcuts import redirect
from django.utils.http import url_has_allowed_host_and_scheme
from django.views import View

class RedirectView(View):
    def get(self, request, *args, **kwargs):
        target = request.GET.get('target', '')
        if url_has_allowed_host_and_scheme(target, allowed_hosts=None):
            return HttpResponseRedirect(target)
        else:
            # ignore the target and redirect to the home page
            return redirect('/')

Note that many browsers accept backslash characters (\) as equivalent to forward slash characters (/) in URLs, so it is important to account for this when validating the URL, for example by first replacing all backslashes with forward slashes. Django's url_has_allowed_host_and_scheme function does this automatically, but other libraries may not.

References

• OWASP: XSS Unvalidated Redirects and Forwards Cheat Sheet.
• Common Weakness Enumeration: CWE-601.

[erik-krogh]

LGTM.

But we could use a non-django example for how to check for missing hostname.

[max-schaefer]

Agreed in principle, but (as far as I can see) at the moment the query only recognises this one particular sanitiser, so if we suggest another one it wouldn't actually make the alert go away. I have raised #15178 to discuss this further.

[tausbn]

Looks reasonable to me. 👍

[felicitymay]

Thanks for taking the time to expand the documentation. Nothing to suggest here 💖