Python Unvalidated Redirect Param
Description
Detects unvalidated URL redirects in Flask applications where the redirect target comes from user-controlled input. This vulnerability could allow attackers to redirect users to malicious websites through open redirect attacks.
Detection Strategy
• Identifies imports or usage of Flask's redirect function
• Looks for calls to 'redirect()' function in the code
• Checks if the redirect URL parameter comes from user input without proper validation
• Reports a vulnerability when redirect calls use unvalidated user-controlled data as the destination URL
Vulnerable code example
from flask import Flask, redirect, request
app = Flask(__name__)
@app.route('/')
def home():
redirect_url = request.args.get('redirect_url')
if redirect_url:...✅ Secure code example
from flask import Flask, redirect, request
from urllib.parse import urlparse, urljoin
import logging
app = Flask(__name__)
# Define allowed domains for redirects
ALLOWED_DOMAINS = {'example.com', 'trusted.com'}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.