public class RedirectSanitiserImpl extends Object implements RedirectSanitiser
Constructor and Description |
---|
RedirectSanitiserImpl(VelocityRequestContextFactory velocityRequestContextFactory) |
Modifier and Type | Method and Description |
---|---|
boolean |
canRedirectTo(String redirectUri)
Returns a boolean indicating whether redirecting to the given URI is allowed or not.
|
protected String |
getCanonicalBaseURL()
Returns the canonical base URL for JIRA.
|
String |
makeSafeRedirectUrl(String redirectUrl)
Constructs a safe redirect URL out of user-provided input.
|
public RedirectSanitiserImpl(VelocityRequestContextFactory velocityRequestContextFactory)
public boolean canRedirectTo(@Nullable String redirectUri)
RedirectSanitiser
This method returns false if the redirectUri
is an absolute URI and it points to a domain that is not
this JIRA instance's domain, and true otherwise.
If the uri is in the form //xxx then it is not allowed as per JRA-27405.
If the uri contains any non-valid URL character, like backslashes, it is denied redirection as it could
result in a potential open redirect attack.
canRedirectTo
in interface RedirectSanitiser
redirectUri
- a String containing a URI@Nullable public String makeSafeRedirectUrl(@Nullable String redirectUrl)
RedirectSanitiser
redirectUrl
does not meet these conditions, this method returns null.
This is used to prevent Open redirect attacks, which facilitate phishing attacks against JIRA users.
makeSafeRedirectUrl
in interface RedirectSanitiser
redirectUrl
- a String containing the redirect URLprotected String getCanonicalBaseURL()
Copyright © 2002-2019 Atlassian. All Rights Reserved.