Execution After Redirect ('EAR')
ID |
go.execution_after_redirect |
Severity |
low |
Resource |
Other |
Language |
Go |
Tags |
CWE:698, NIST.SP.800-53 |
Description
Detects code that continues to execute after issuing an HTTP redirect, potentially leading to unintended information disclosure or behavior.
Rationale
Execution After Redirect vulnerabilities typically arise when programmers assume that code execution halts after an HTTP redirect.
In reality, most web frameworks allow further execution after a redirect unless explicitly stopped. This can lead to security weaknesses, such as subsequent actions that should be conditional upon the redirect.
Consider the following Golang example:
package execution_after_redirect
import (
"html/template"
"log"
"net/http"
)
type Stuff struct {
List []string
}
const tpl = `Your template content here`
func checkCheckHandler(w http.ResponseWriter, r *http.Request) {
if err := r.ParseForm(); err != nil {
http.Error(w, "Invalid form data", http.StatusBadRequest)
return
}
if r.Method == http.MethodPost {
newURL := r.URL.Query().Get("newURL")
if newURL == "" {
http.Error(w, "Invalid redirect URL", http.StatusBadRequest)
return
}
choices := r.Form["choices"]
if err := saveChoice(choices); err != nil {
http.Error(w, "Failed to save choices", http.StatusInternalServerError)
return
}
http.Redirect(w, r, newURL, http.StatusSeeOther) // FLAW
executeSomeLogic()
return
}
sinfo := Stuff{
List: []string{"Example1", "Example2"}, // Populate this slice appropriately
}
t, err := template.New("template").Parse(tpl)
if err != nil {
http.Error(w, "Template parsing error", http.StatusInternalServerError)
return
}
if err := t.Execute(w, sinfo); err != nil {
http.Error(w, "Template execution error", http.StatusInternalServerError)
return
}
}
func saveChoice(choices []string) error {
// Handle saving logic here
return nil
}
func executeSomeLogic() {
}
func main() {
http.HandleFunc("/check", checkCheckHandler)
log.Fatal(http.ListenAndServe(":8080", nil))
}