@PublicApi public final class

SafeRedirectChecker

extends Object
implements RedirectSanitiser
java.lang.Object
   ↳ com.atlassian.jira.web.action.SafeRedirectChecker

This class is deprecated.
Use RedirectSanitiser instead. Since v6.2.

@PublicApi

This class is designed for plugins to consume (call its methods).

Clients of @PublicApi can expect that programs compiled against a given version will remain binary compatible with later versions of the @PublicApi as per each product's API policy as long as the client does not implement/extend @PublicApi interfaces or classes (refer to each product's API policy for the exact guarantee---usually binary compatibility is guaranteed at least across minor versions).

Note: since @PublicApi interfaces and classes are not designed to be implemented or extended by clients, we may perform certain types of binary-incompatible changes to these classes and interfaces, but these will not affect well-behaved clients that do not extend/implement these types (in general, only classes and interfaces annotated with @PublicSpi are safe to extend/implement).

Class Overview

Contains methods that check whether a particular redirect is "safe" or not.

Summary

Public Constructors
@Internal SafeRedirectChecker(RedirectSanitiser redirectSanitiser)
Public Methods
boolean canRedirectTo(String redirectUri)
Returns a boolean indicating whether redirecting to the given URI is allowed or not.
@Nullable String makeSafeRedirectUrl(String redirectUrl)
Constructs a safe redirect URL out of user-provided input.
[Expand]
Inherited Methods
From class java.lang.Object
From interface com.atlassian.jira.web.action.RedirectSanitiser

Public Constructors

@Internal public SafeRedirectChecker (RedirectSanitiser redirectSanitiser)

@Internal

This constructor is an internal implementation detail and will change without notice.

Clients that depend on @Internal classes and interfaces can not expect to be compatible with any version other than the version they were compiled against (even minor version and milestone releases may break binary compatibility with respect to @Internal elements).

Public Methods

public boolean canRedirectTo (String redirectUri)

Returns a boolean indicating whether redirecting to the given URI is allowed or not. This method returns false if the redirectUri is an absolute URI and it points to a domain that is not this JIRA instance's domain, and true otherwise. If the uri is in the form //xxx then it is not allowed as per JRA-27405

Parameters
redirectUri a String containing a URI
Returns
  • a boolean indicating whether redirecting to the given URI should be allowed or not

@Nullable public String makeSafeRedirectUrl (String redirectUrl)

Constructs a safe redirect URL out of user-provided input. This means checking that the URL has an HTTP or HTTPS scheme, and that it does not redirect to a different domain (i.e. not JIRA). If the redirectUrl does not meet these conditions, this method returns null.

This is used to prevent Open redirect attacks, which facilitate phishing attacks against JIRA users.

Parameters
redirectUrl a String containing the redirect URL
Returns
  • a safe redirect URL, or null