Validate redirect URLs
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") ||Install this rule for wispbit
Add this rule to wispbit and it will run when you open a pull request
Install this rule for Coderabbit
Copy the configuration below and add it to your repository as .coderabbit.yml in your project root.
reviews: path_instructions: - path: "*.vue,*.ts,*.js" instructions: | Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations. Bad: ```javascript // Vulnerable to subdomain attacks (e.g., example.com.attacker.com) const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) ) } ``` Good: ```javascript const isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false } } ``` Install this rule for Greptile
Greptile rules can be added through the web interface. Please see this documentation for details on how to add custom rules and context.
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```File Path Patterns:
*.vue
*.ts
*.js
Install this rule for GitHub Copilot
Copilot instructions can be added through the interface. See the documentation for details on how to create coding guidelines.
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```File Path Patterns:
*.vue
*.ts
*.js
Install this rule for Graphite Diamond
Diamond custom rules can be added through the interface. See the documentation for details on how to create custom rules.
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```File Path Patterns:
*.vue
*.ts
*.js
Use with Cline
Copy the rule below and ask Cline to review your code using this rule
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```Use with OpenAI Codex
Copy the rule below and ask OpenAI Codex to review your code using this rule
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```Use with Cursor
Copy the rule below and ask Cursor to review your code using this rule
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```Use with Claude Code
Copy the rule below and ask Claude Code to review your code using this rule
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```Install this rule for Windsurf
To set up rules for Windsurf Reviews, please see this documentation
Always validate redirect URLs to prevent open redirect vulnerabilities. When validating external URLs, parse them with the URL constructor and compare origins exactly rather than using string operations.Bad:```javascript// Vulnerable to subdomain attacks (e.g., example.com.attacker.com)const isRedirectSafe = (redirectUrl) => { return ( redirectUrl.startsWith("/") || redirectUrl.startsWith(window.location.origin) )}```Good:```javascriptconst isRedirectSafe = (redirectUrl) => { // Allow local redirects if (redirectUrl.startsWith("/")) { return true } try { // Validate external URLs by checking exact origin match const url = new URL(redirectUrl) return url.origin === window.location.origin } catch { return false }}```