Open Redirect in Actix with Cockroachdb

An Open Redirect in an Actix web service that uses Cockroachdb as the backend datastore occurs when an application accepts a user-controlled URL or location parameter and uses it to redirect the client without validation. If the redirect target is derived from or influenced by data stored in Cockroachdb, the vulnerability is compounded because an attacker may manipulate database records or inject malicious URLs that the application later trusts.

Consider an Actix endpoint that reads a redirect URL from a Cockroachdb row (for example, a post-login "return to" URL). If the application does not validate or restrict the stored URL, an attacker who can write to the database (via other means such as SQL injection or compromised admin workflows) can set a malicious redirect target. When the Actix handler later reads this value and performs an HTTP redirect, users are sent to an attacker-controlled site. This is especially dangerous when the redirect is part of authentication flows, OAuth callbacks, or multi-step onboarding where trust is implicitly placed in the stored configuration.

Even without direct database write access, an Open Redirect can occur if the Actix handler uses request parameters to build a redirect and also queries Cockroachdb to verify some condition (e.g., checking that the target URL is whitelisted). If the validation logic is incomplete or relies on client-supplied data that is later compared against database values, an attacker can bypass checks by supplying a URL that passes the initial check but redirects to a malicious site when resolved against stored patterns or canonicalization rules.

In a typical Actix implementation, the handler might look up tenant-specific redirect settings from Cockroachdb. If the tenant configuration is not scoped strictly to the requesting user or service, one tenant could read another tenant’s redirect URL and use it to launch phishing campaigns. Because Cockroachdb is strongly consistent and supports complex queries, developers may assume that what they read is authoritative and safe, inadvertently trusting data that may have been tampered with or improperly isolated.

An attacker may also probe the API with crafted URLs to identify which parameters are reflected in redirects and whether they are validated against Cockroachdb records. Successful exploitation leads to phishing, credential theft via intermediate pages, or abuse of referral programs. Because the redirect decision involves both runtime request data and persisted data in Cockroachdb, it becomes a multi-vector issue that requires controls at both the application logic and data integrity layers.

To remediate Open Redirect in Actix when using Cockroachdb, validate and constrain all redirect targets against a strict allowlist or enforce a safe base URL. Avoid using raw values from database rows or request parameters as the sole source of truth for redirection. Use typed configuration and ensure tenant isolation is enforced in queries.

Example: Define a safe set of redirect paths and resolve identifiers to URLs server-side instead of storing raw external URLs in Cockroachdb.

use actix_web::{web, HttpResponse, Responder};
use cockroachdb_rs::{Client, Row};
use serde::{Deserialize, Serialize};

#[derive(Deserialize)]
struct RedirectRequest {
    redirect_key: String,
}

#[derive(Serialize)]
struct ApiResponse {
    url: String,
}

/// Safely resolve a redirect key to a canonical URL without using user-controlled redirects.
async fn safe_redirect_handler(
    req: web::Json,
    db_client: web::Data,
) -> impl Responder {
    // Parameterized query to enforce tenant scoping and avoid injection.
    let query = "SELECT path, tenant_id FROM redirect_config WHERE key = $1 AND tenant_id = $2";
    let rows: Vec = db_client
        .query(query, &[&req.redirect_key, &get_current_tenant_id()])
        .await
        .map_err(|e| actix_web::error::ErrorBadRequest(e.to_string()))?;

    let row = rows.first().ok_or_else(|| actix_web::error::ErrorNotFound("Not found"))?;
    let path: String = row.get(0);
    // Construct a safe, canonical URL; never use raw external input as the redirect target.
    let canonical_url = format!("https://app.example.com{}", path);
    HttpResponse::Found()
        .insert_header(("Location", canonical_url.as_str()))
        .finish()
}

async fn get_current_tenant_id() -> String {
    // In practice, derive tenant from JWT, session, or request context.
    "tenant-abc123".to_string()
}

If you must store redirect URLs in Cockroachdb, enforce strict validation and normalization before storing and before using them in a redirect. For example, allow only same-host URLs or known external domains, and use a server-side mapping rather than raw user input.

use url::Url;

/// Validate that a URL is allowed (same host or in allowlist) before storing or redirecting.
fn is_redirect_allowed(input: &str, allowed_domains: &[&str]) -> bool {
    let parsed = match Url::parse(input) {
        Ok(u) => u,
        Err(_) => return false,
    };
    if parsed.scheme() != "https" {
        return false;
    }
    let host = match parsed.host_str() {
        Some(h) => h,
        None => return false,
    };
    // Only allow same host or explicitly approved external domains.
    host == "app.example.com" || allowed_domains.contains(&host)
}

// Example usage in Actix extractor or handler validation.
let candidate = "https://app.example.com/dashboard";
if !is_redirect_allowed(candidate, &["trusted.partner.com"]) {
    return HttpResponse::BadRequest().body("Invalid redirect target");
}

Additionally, ensure that your Cockroachdb queries use parameterized statements to avoid SQL injection, which could otherwise allow an attacker to poison redirect configurations. Combine these measures with server-side mapping of keys to URLs to ensure that the Actix application never directly reflects untrusted input into a Location header.