---
title: URL Redirects Must Be In Allow List
impact: LOW
impactDescription: prevents open redirect vulnerabilities
tags: redirect, url, allow-list, validation, security
---

## URL Redirects Must Be In Allow List

Open redirect vulnerabilities allow attackers to redirect users to malicious sites, often used in phishing attacks.

**Incorrect (unvalidated redirect URL):**

```go
// Open redirect vulnerability
http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
    url := r.URL.Query().Get("url")
    http.Redirect(w, r, url, http.StatusFound) // Attacker: ?url=https://evil.com
})

// Partial validation (can be bypassed)
http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
    url := r.URL.Query().Get("url")
    if strings.Contains(url, "example.com") {
        http.Redirect(w, r, url, http.StatusFound) // Bypass: evil.com?example.com
    }
})
```

**Correct (allow list validation):**

```go
var allowedRedirectHosts = []string{
    "example.com",
    "app.example.com",
    "admin.example.com",
}

func isAllowedHost(host string) bool {
    for _, h := range allowedRedirectHosts {
        if h == host {
            return true
        }
    }
    return false
}

http.HandleFunc("/redirect", func(w http.ResponseWriter, r *http.Request) {
    targetURL := r.URL.Query().Get("url")
    
    parsed, err := url.Parse(targetURL)
    if err != nil || !isAllowedHost(parsed.Hostname()) {
        http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
        return
    }
    
    http.Redirect(w, r, targetURL, http.StatusFound)
})

// Or use relative URLs only
http.HandleFunc("/relative-redirect", func(w http.ResponseWriter, r *http.Request) {
    path := r.URL.Query().Get("path")
    
    // Only allow relative paths starting with /
    if !strings.HasPrefix(path, "/") || strings.HasPrefix(path, "//") {
        http.Error(w, "Invalid path", http.StatusBadRequest)
        return
    }
    
    http.Redirect(w, r, path, http.StatusFound)
})
```

**Protection strategies:**
1. Allow list of trusted domains
2. Use relative URLs only
3. Validate URL structure
4. Warning page before external redirects

**Tools:** SonarQube, Semgrep, Manual Review
