Open Redirect in Echo Go with Api Keys

An open redirect in an Echo Go service that uses API keys occurs when a handler accepts a user-controlled URL or host value and performs an HTTP redirect without validating or restricting the destination. If the handler also requires an API key for authorization, the combination can expose a redirect that bypasses intended access controls. An API key may be passed as a header or query parameter; if the application uses the key only to allow the request to proceed but does not enforce that the key owner is allowed to redirect to arbitrary external hosts, the key becomes a mechanism that enables authenticated users to cause clients to follow malicious redirects.

For example, an endpoint like /next might accept an api_key header and a url query parameter. If the handler validates the presence of the key but does not validate or restrict the url value, an authenticated caller can supply a key and point the redirect to any external domain, such as https://evil.com. This can lead to phishing or client-side exploits, because the API key signals legitimacy to the client, and the redirect appears to originate from a trusted service. In the context of API security scanning, this pattern is flagged because it can manipulate authenticated clients without their knowledge.

Echo Go handlers should treat redirect targets as untrusted input, even when an API key is present. Attack patterns such as this are included in the OWASP API Top 10 (e.g., Broken Object Level Authorization and Improper Neutralization of Components During Construction), and scanners like middleBrick test for open redirects alongside API key usage to surface cases where authenticated endpoints still perform unsafe redirects.

Remediation focuses on strict validation of redirect destinations and ensuring API key checks enforce authorization context, not just authentication. Do not rely on the presence of an API key to decide whether a redirect is safe. Instead, use an allowlist of trusted hosts or paths, and avoid using user-supplied values directly in redirects.

Example of vulnerable code:

package main

import (
	"net/http"
	"strings"

	"github.com/labstack/echo/v4"
)

func unsafeNext(c echo.Context) error {
	apiKey := c.Request().Header.Get("X-API-Key")
	if apiKey == "" {
		return echo.NewHTTPError(http.StatusUnauthorized, "missing api_key")
	}
	// Key validated, but destination is uncontrolled
	url := c.QueryParam("url")
	if url == "" {
		return echo.NewHTTPError(http.StatusBadRequest, "missing url")
	}
	// Dangerous: open redirect
	return c.Redirect(http.StatusFound, url)
}

Fixed version with host allowlist and safe redirect handling:

package main

import (
	"net/url"
	"net/http"

	"github.com/labstack/echo/v4"
)

var allowedRedirectHosts = map[string]bool{
	"app.example.com": true,
	"app.example.org": true,
}

func safeNext(c echo.Context) error {
	apiKey := c.Request().Header.Get("X-API-Key")
	if apiKey == "" {
		return echo.NewHTTPError(http.StatusUnauthorized, "missing api_key")
	}
	// Key validated; ensure key usage is authorized for this action
	// (e.g., check scopes or key ownership against a store)
	raw := c.QueryParam("next")
	if raw == "" {
		return echo.NewHTTPError(http.StatusBadRequest, "missing next parameter")
	}
	parsed, err := url.Parse(raw)
	if err != nil {
		return echo.NewHTTPError(http.StatusBadRequest, "invalid url")
	}
	// Restrict to same host or explicitly allowed hosts
	if parsed.Host == "" {
		return echo.NewHTTPError(http.StatusBadRequest, "invalid host")
	}
	if !allowedRedirectHosts[parsed.Host] {
		return echo.NewHTTPError(http.StatusBadRequest, "redirect not allowed")
	}
	// Ensure no path traversal or unexpected behavior
	parsed.Path = path.Clean("/" + parsed.Path)
	return c.Redirect(http.StatusFound, parsed.String())
}

Additional measures include using relative redirects when possible, returning a 200 with a client-side navigation hint instead of an HTTP redirect, and logging suspicious redirect attempts for monitoring. These practices reduce the risk that an API key enables abuse via open redirects.