Avoid open redirects from request-controlled targets

#Metadata

Rule ID

ruby.security.rails-open-redirect

Severity

medium

Confidence

0.84

Languages

ruby

Presets

security, strict

Stability

stable

Applies to

block

Tags

open-redirect, rails, ruby, rules-catalog, security

#Why it matters

`redirect_to` and `redirect_back` calls that honor `params`, `request` URLs, or `allow_other_host: true` with tainted data are a common phishing and OAuth bypass vector.

#Remediation

Use an allowlisted path helper, reject off-host targets, and avoid pairing `allow_other_host: true` with user-controlled URLs.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/ruby/ruby.security.rails-open-redirect.rule.yaml.