Package com.atlassian.jira.web.action
Interface RedirectSanitiser
- All Known Implementing Classes:
MockRedirectSanitiser
,RedirectSanitiserImpl
,SafeRedirectChecker
public interface RedirectSanitiser
Provides a way for clients to sanitise redirect URLs before issuing the redirect.
- Since:
- 5.1.5
-
Method Summary
Modifier and TypeMethodDescriptionboolean
canRedirectTo
(String redirectUri) Returns a boolean indicating whether redirecting to the given URI is allowed or not.makeSafeRedirectUrl
(String redirectUrl) Constructs a safe redirect URL out of user-provided input.
-
Method Details
-
makeSafeRedirectUrl
Constructs a safe redirect URL out of user-provided input. This means checking that the URL has an HTTP or HTTPS scheme, and that it does not redirect to a different domain (i.e. not JIRA). If theredirectUrl
does not meet these conditions, this method returns null.This is used to prevent Open redirect attacks, which facilitate phishing attacks against JIRA users.
- Parameters:
redirectUrl
- a String containing the redirect URL- Returns:
- a safe redirect URL, or null
- Since:
- 5.1.5
-
canRedirectTo
Returns a boolean indicating whether redirecting to the given URI is allowed or not.This method returns false if the
redirectUri
is an absolute URI and it points to a domain that is not this JIRA instance's domain, and true otherwise. If the uri is in the form //xxx then it is not allowed as per JRA-27405. If the uri contains any non-valid URL character, like backslashes, it is denied redirection as it could result in a potential open redirect attack.- Parameters:
redirectUri
- a String containing a URI- Returns:
- a boolean indicating whether redirecting to the given URI should be allowed or not
- Since:
- v6.2
-