---
title: URL Redirects Must Be In Allow List
impact: LOW
impactDescription: prevents open redirect vulnerabilities
tags: redirect, url, allow-list, validation, security
---

## URL Redirects Must Be In Allow List

Open redirect vulnerabilities allows attackers to redirect users to malicious sites, often used in phishing attacks. In Rails, always validate external redirects.

**Incorrect (unvalidated redirect URL):**

```ruby
# Open redirect vulnerability
def redirect_to_url
  url = params[:url]
  redirect_to url # Attacker: ?url=https://evil.com
end
```

**Correct (allow list or relative path):**

```ruby
ALLOWED_HOSTS = ['example.com', 'app.example.com']

def redirect_to_url
  url = params[:url]
  uri = URI.parse(url)

  if ALLOWED_HOSTS.include?(uri.host)
    redirect_to url, allow_other_host: true
  else
    redirect_to root_path, alert: "Invalid redirect"
  end
rescue URI::InvalidURIError
  redirect_to root_path
end

# Or force relative path
def safe_redirect
  path = params[:path]
  # Ensure it starts with / and not //
  if path.start_with?('/') && !path.start_with?('//')
    redirect_to path
  else
    redirect_to root_path
  end
end
```

**Protection strategies:**
1. Allow list of trusted domains via `allow_other_host: true` after validation.
2. Use relative URLs only.
3. Validate URIs with `URI.parse`.

**Tools:** Brakeman, Manual Review
---