You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Rule Description
Describe the bug
in symfony, using the method
/**
* Returns a RedirectResponse to the given URL.
*
* @param int $status The HTTP status code (302 "Found" by default)
*/
protected function redirect(string $url, int $status = 302): RedirectResponse
{
return new RedirectResponse($url, $status);
}
from Symfony\Bundle\FrameworkBundle\Controller\AbstractController
will trigger the rule php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect
using directly the object Symfony\Component\HttpFoundation\RedirectResponse will not trigger it.
What does this rule intend to find?
returning object RedirectResponse should trigger the rule php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect ?
Examples or references
Put an example or references here
create a route that return the object RedirectResponse
#[Route(
path: '/redirection-with-query-parameters',
name: 'redirection',
methods: ['GET']
)]
public function showWithdrawal(Request $request): RedirectResponse {
$userUrl = $request->query->get('url');
return new RedirectResponse($userUrl);
}
Additional information
More information that would help someone write this rule!
PR Checklist
This ticket has links, references, or examples.
The rule has true positive and true negative test cases in a file that matches the rule name.
If the rule is my-rule, the test file name should be my-rule.js.
True positives are marked by comments with ruleid: <my-rule> and true negatives are marked by comments with ok: <my-rule>.
The rule has a good message. A good message includes:
A description of the pattern (e.g., missing parameter, dangerous flag, out-of-order function calls).
A description of why this pattern was detected (e.g., logic bug, introduces a security vulnerability, bad practice).
An alternative that resolves the issue (e.g., use another function, validate data first, discard the dangerous flag).
After the PR has been reviewed and approved, merge the rule and close this ticket! Thanks for contributing!
The text was updated successfully, but these errors were encountered:
Rule Description
Describe the bug
in symfony, using the method
from Symfony\Bundle\FrameworkBundle\Controller\AbstractController
will trigger the rule php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect
using directly the object Symfony\Component\HttpFoundation\RedirectResponse will not trigger it.
What does this rule intend to find?
returning object RedirectResponse should trigger the rule php.symfony.security.audit.symfony-non-literal-redirect.symfony-non-literal-redirect ?
Examples or references
Put an example or references here
create a route that return the object RedirectResponse
Additional information
More information that would help someone write this rule!
PR Checklist
The text was updated successfully, but these errors were encountered: