Interface RedirectSanitiser

All Known Implementing Classes:
MockRedirectSanitiser, RedirectSanitiserImpl, SafeRedirectChecker

public interface RedirectSanitiser
Provides a way for clients to sanitise redirect URLs before issuing the redirect.
Since:
5.1.5
  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    canRedirectTo(String redirectUri)
    Returns a boolean indicating whether redirecting to the given URI is allowed or not.
    Constructs a safe redirect URL out of user-provided input.
  • Method Details

    • makeSafeRedirectUrl

      @Nullable String makeSafeRedirectUrl(@Nullable String redirectUrl)
      Constructs a safe redirect URL out of user-provided input. This means checking that the URL has an HTTP or HTTPS scheme, and that it does not redirect to a different domain (i.e. not JIRA). If the redirectUrl does not meet these conditions, this method returns null.

      This is used to prevent Open redirect attacks, which facilitate phishing attacks against JIRA users.

      Parameters:
      redirectUrl - a String containing the redirect URL
      Returns:
      a safe redirect URL, or null
      Since:
      5.1.5
    • canRedirectTo

      boolean canRedirectTo(@Nullable String redirectUri)
      Returns a boolean indicating whether redirecting to the given URI is allowed or not.

      This method returns false if the redirectUri is an absolute URI and it points to a domain that is not this JIRA instance's domain, and true otherwise. If the uri is in the form //xxx then it is not allowed as per JRA-27405. If the uri contains any non-valid URL character, like backslashes, it is denied redirection as it could result in a potential open redirect attack.

      Parameters:
      redirectUri - a String containing a URI
      Returns:
      a boolean indicating whether redirecting to the given URI should be allowed or not
      Since:
      v6.2