Do not use unvalidated request

Docs > Code Analysis > Static Analysis Rules > Do not use unvalidated request

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: java-security/unvalidated-redirect

Language: Java

Severity: Error

Category: Security

CWE: 601

Description

Do not use unvalidated redirect. Always check the redirect URL coming from a request.

Learn More

Unvalidated Redirect
CWE-601 - URL Redirection to Untrusted Site

Non-Compliant Code Examples

public class MyClass {
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.sendRedirect(req.getParameter("redirectUrl"));
    }
}

Compliant Code Examples

public class MyClass {
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
        resp.sendRedirect(validateUrl(req.getParameter("redirectUrl")));
    }
}