Critiq Docs
Get started
security.input-validation

Open redirect via request-controlled target

Redirect and navigation sinks should not use request-controlled destinations without validation.

#Metadata

Rule ID
ts.security.open-redirect
Severity
high
Confidence
0.85
Languages
javascript, typescript
Presets
recommended, security, strict
Stability
stable
Applies to
block
Tags
input-validation, redirect, rules-catalog, security

#Why it matters

Redirect targets that are derived from user input can send authenticated users to attacker-controlled destinations.

#Remediation

Normalize the target to an internal path or validate it against a trusted origin allowlist before redirecting.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.open-redirect.rule.yaml.

Back to registryOpen rule in repository