SafeRedirectChecker (Atlassian JIRA 6.0.7 API)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

com.atlassian.jira.web.action
Class SafeRedirectChecker

java.lang.Object
  com.atlassian.jira.web.action.SafeRedirectChecker

All Implemented Interfaces:: RedirectSanitiser

@PublicApi public final class SafeRedirectChecker
extends Object
implements RedirectSanitiser
extends Object
implements RedirectSanitiser

Contains methods that check whether a particular redirect is "safe" or not.

Since:: v4.3

Constructor Summary
`SafeRedirectChecker(VelocityRequestContextFactory velocityRequestContextFactory)` Creates a new SafeRedirectChecker.

Method Summary
`boolean`	`canRedirectTo(String redirectUri)` Returns a boolean indicating whether redirecting to the given URI is allowed or not.
`protected String`	`getCanonicalBaseURL()` Returns the canonical base URL for JIRA.
`String`	`makeSafeRedirectUrl(String redirectUrl)` Constructs a safe redirect URL out of user-provided input.

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Constructor Detail

SafeRedirectChecker

public SafeRedirectChecker(VelocityRequestContextFactory velocityRequestContextFactory)

Creates a new SafeRedirectChecker.

Parameters:: velocityRequestContextFactory - a VelocityRequestContextFactory

Method Detail

canRedirectTo

public boolean canRedirectTo(@Nullable
                             String redirectUri)

Returns a boolean indicating whether redirecting to the given URI is allowed or not. This method returns false if the redirectUri is an absolute URI and it points to a domain that is not this JIRA instance's domain, and true otherwise. If the uri is in the form //xxx then it is not allowed as per JRA-27405

Parameters:: redirectUri - a String containing a URI
Returns:: a boolean indicating whether redirecting to the given URI should be allowed or not
Since:: v4.3

makeSafeRedirectUrl

@Nullable
public String makeSafeRedirectUrl(@Nullable
                                           String redirectUrl)

Constructs a safe redirect URL out of user-provided input. This means checking that the URL has an HTTP or HTTPS scheme, and that it does not redirect to a different domain (i.e. not JIRA). If the redirectUrl does not meet these conditions, this method returns null.

This is used to prevent Open redirect attacks, which facilitate phishing attacks against JIRA users.

Specified by:: makeSafeRedirectUrl in interface RedirectSanitiser

Parameters:: redirectUrl - a String containing the redirect URL
Returns:: a safe redirect URL, or null
Since:: 5.1.5

getCanonicalBaseURL

protected String getCanonicalBaseURL()

Returns the canonical base URL for JIRA.

Returns:: a String containing the canonical base URL