Unvalidated redirect_back false negatives

[mattyb]

Background

Rails Version: 6.1.7.7
Brakeman Version: 6.1.2
Ruby Version: 3.1.5

Issue

Checks for redirect_back were added in #1756. Currently, calls to redirect_back without allow_other_hosts: true are allowed if fallback_location is specified. Setting fallback_location however does not prevent an attack via the Referer header. As documented here, fallback_location is only used if Referer is not set.

Note that in Rails >=7.0 this protection can also be handled via configuration https://guides.rubyonrails.org/configuring.html#config-action-controller-raise-on-open-redirects

[presidentbeef]

Hm, okay, I think I am following.

🤔 Under what circumstances would an attacker be controlling the Referer header and need to abuse an open redirect?

Note that in Rails >=7.0 this protection can also be handled via configuration

Yes, Brakeman checks this config.

[mattyb]

There's additional discussion in rails/rails#39643. I haven't validated myself, but some googling gave an example exploit here https://trustfoundry.net/2016/08/23/referer-redirection-inconspicuous-danger/