application_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/application_controller.rb:541

redirect_to(Permalink.find_by_url(path).target_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/application_controller.rb or mark it as false positive.

session_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/session_controller.rb:184

redirect_to(SiteSetting.discourse_connect_not_approved_url)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/session_controller.rb or mark it as false positive.

tags_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/tags_controller.rb:370

redirect_to("#{Discourse.base_path}/tags#{Permalink.find_by_url("c/#{params[:category_slug_path_with_id]}").target_url}/#{params[:tag_id]}", :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/tags_controller.rb or mark it as false positive.

permalinks_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/permalinks_controller.rb:14

redirect_to(Permalink.find_by_url(request.fullpath).target_url, :status => :moved_permanently)

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/permalinks_controller.rb or mark it as false positive.

users_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:931

redirect_to(cookies.delete(:destination_url))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

static_controller.rb
code Critical
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: High

Problem

Possible unprotected redirect

Location

app/controllers/static_controller.rb:32

redirect_to(SiteSetting.get(map[params[:id]][:redirect]))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/static_controller.rb or mark it as false positive.

CVE-2021-22881
actionpack Moderate
Redirect
Discovered 3 months ago
Published 3 months ago
Category: Redirect
Severity: Moderate

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22881.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.1.2.1, 6.0.3.5

Impact

Specially crafted “Host” headers in combination with certain “allowed host” formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example, configuration files that look like this:

config.hosts <<  '.tkte.ch'

When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

Workarounds

In the case a patch can’t be applied, the following monkey patch can be used in an initializer:

module ActionDispatch
  class HostAuthorization
    private
      def authorized?(request)
        valid_host = /
          \A
          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
          (:\d+)?
          \z
        /x

        origin_host = valid_host.match(
          request.get_header("HTTP_HOST").to_s.downcase)
        forwarded_host = valid_host.match(
          request.x_forwarded_host.to_s.split(/,\s?/).last)

        origin_host && @permissions.allows?(origin_host[:host]) && (
          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
      end
  end
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 6.0.3.5 >= 6.1.2.1

Unaffected Versions

< 6.0.0

References

n/a

posts_controller.rb
code Moderate
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/posts_controller.rb:162

redirect_to(path(Post.find(params[:post_id].to_i).url))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/posts_controller.rb or mark it as false positive.

svg_sprite_controller.rb
code Moderate
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/svg_sprite_controller.rb:18

redirect_to(path(SvgSprite.path(params[:theme_ids].split(",").map(&:to_i))))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/svg_sprite_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:929

redirect_to(((session_sso_provider_url + "?") + cookies.delete(:sso_payload)))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.

users_controller.rb
code Moderate
Redirect
Discovered 3 months ago
Source: static code analysis
Category: Redirect
Confidence level: Weak

Problem

Possible unprotected redirect

Location

app/controllers/users_controller.rb:978

redirect_to(((session_sso_provider_url + "?") + cookies.delete(:sso_payload)))

Category description: Sometimes redirect_to can be used with a user-supplied value that may allow the attacker to change the :host option and load a malicious script from a third party website.

Solution: fix the issue in app/controllers/users_controller.rb or mark it as false positive.