HIGH open redirectrestifycockroachdb

Open Redirect in Restify with Cockroachdb

Scan for open redirect in restify

Open Redirect in Restify with Cockroachdb — how this specific combination creates or exposes the vulnerability

An Open Redirect in a Restify service that uses Cockroachdb as a backend can occur when an endpoint accepts a user-supplied URL or hostname and uses it to construct a redirect response without strict validation. If the redirect target is derived from request query parameters and later combined with database values from Cockroachdb—such as a tenant-specific callback URL stored in a row—attackers can inject malicious destinations.

In a typical pattern, a Restify handler might read a redirect_to query parameter and a tenant ID, then fetch tenant configuration (including a base URL) from Cockroachdb. If the handler trusts the stored base URL or concatenates user input with database values to form the final Location header, an attacker who can poison the Cockroachdb-stored URL (via compromised admin UI or SQL injection leading to incorrect data) can cause the Restify service to redirect victims to arbitrary sites.

The risk is amplified when the Restify service exposes unauthenticated endpoints (black-box scanning) and returns 3xx responses with Location values derived from external data. Because middleBrick scans test for BOLA/IDOR and Property Authorization across 12 checks, it can detect whether redirect parameters are subject to tampering or missing allowlists. Even without authentication, an attacker may probe for open redirect behavior by supplying paths like /login?redirect_to=https://evil.com and observing whether the response performs a redirect.

Open Redirect undermines trust in the domain and can be used for phishing lures. While Restify does not inherently introduce the flaw, the combination with Cockroachdb-stored configuration and dynamic redirect construction creates a chain where untrusted data flows from the database through the HTTP layer into the Location header.

Cockroachdb-Specific Remediation in Restify — concrete code fixes

Remediation centers on strict validation of redirect targets and isolating database-driven URLs from user-controlled input. Never directly use values from Cockroachdb rows to set the Location header without allowlisting or normalization. Below are concrete Restify handlers with safe patterns and working Cockroachdb examples.

Safe redirect with allowlist and static mapping

Use a predefined map of allowed destinations keyed by an enum or slug stored in Cockroachdb, rather than storing full redirect URLs. This ensures that even if a row is compromised, the attacker cannot redirect to arbitrary sites.

const Fastify = require('restify');
const postgres = require('postgres');

const client = postgres({ connectionString: 'postgresql://user:pass@host:26257/db' });

const server = Fastify();

// Cockroachdb schema: CREATE TABLE redirect_targets (id INT PRIMARY KEY, slug STRING, path STRING);
// Example rows: (1, 'dashboard', '/app/dashboard'), (2, 'docs', '/docs/guide')

server.get('/login', async (req, reply) => {
  const { slug } = req.query; // e.g., /login?slug=dashboard
  const allowed = await client.sql`SELECT path FROM redirect_targets WHERE slug = ${slug} AND enabled = true`;
  if (!allowed.length) {
    return reply.send({ error: 'invalid_redirect' });
  }
  return reply.code(302).header('Location', allowed[0].path).send();
});

server.listen({ port: 8080 }, err => {
  if (err) console.error(err);
});

Validate external URLs against tenant-specific allowlist

If you must store full URLs in Cockroachdb, enforce that they belong to a tenant-controlled origin. Compare the parsed hostname against a list of approved domains per tenant.

const url = require('url');

server.get('/oauth/callback', async (req, reply) => {
  const { tenant_id, next } = req.query;
  const tenant = await client.sql`SELECT allowed_redirect_hosts FROM tenants WHERE id = ${tenant_id}`;
  if (!tenant.length) return reply.code(404).send();

  const allowedHosts = JSON.parse(tenant[0].allowed_redirect_hosts); // e.g., ["app.example.com", "docs.example.com"]
  const target = url.parse(next);

  if (!allowedHosts.includes(target.hostname)) {
    return reply.code(400).send({ error: 'redirect_not_allowed' });
  }
  return reply.code(302).header('Location', next).send();
});

Use absolute path redirects when possible

Instead of storing full URLs in Cockroachdb, store paths and construct Location using the request’s origin to avoid host confusion.

server.get('/return', async (req, reply) => {
  const { page } = req.query;
  const pages = await client.sql`SELECT path FROM pages WHERE slug = ${page}`;
  if (!pages.length) return reply.code(404).send();
  const origin = req.headers.host ? `https://${req.headers.host}` : '';
  return reply.code(302).header('Location', new URL(pages[0].path, origin).toString()).send();
});

These patterns ensure that user-influenced data does not directly dictate the Location header. By validating against Cockroachdb-stored allowlists and normalizing inputs, you mitigate Open Redirect while preserving dynamic routing needs.

Scan for open redirect in restify Free API security scan

Frequently Asked Questions

Can an open redirect in Restify be used for phishing even if Cockroachdb values are sanitized?
Yes, if user-controlled query parameters or headers are concatenated with sanitized database values without strict allowlisting, attackers can still inject malicious hosts. Always validate the final Location against a strict allowlist.
Does middleBrick detect open redirects in Restify APIs that use Cockroachdb?
middleBrick tests for open redirect behavior as part of its Property Authorization and Input Validation checks. It identifies whether Location headers can be influenced by user-supplied data and provides remediation guidance.

Related Pages

Open Redirect in RestifyLearn how open redirect vulnerabilities manifest in Restify applications, how to detect them with middleBrick's scanner,Open Redirect in CockroachdbLearn how open‑redirect flaws can appear in CockroachDB‑backed apps, how to detect them with middleBrick, and how to fixCis: Open RedirectLearn how Cis techniques enable Open Redirect attacks, how to detect them with middleBrick, and implement fixes using alOpen Redirect in Restify on CloudflareOpen redirect in Restify behind Cloudflare: causes, secure coding patterns, and header validation guidance.Pci Dss: Open Redirect in RestifymiddleBrick scans API endpoints for open redirect risks in Restify, providing PCI DSS-aligned findings and secure codingSoc2: Open Redirect in RestifyExplore Soc 2 risks in Restify Open Redirect: detection patterns and secure coding examples for resilient API design.Iso 27001: Open Redirect in RestifyExplore open redirect risks in Restify services through an ISO 27001 lens, with secure code examples and remediation guiCis: Open Redirect in RestifyCis in Open Redirect with Restify and Restify-specific remediation examples showing secure validation and host allowlistOpen Redirect in Restify with Mutual TlsOpen redirect risks in Restify with mTLS, validation guidance, and secure code examples for redirect handling.Open Redirect in Restify with Api KeysOpen redirect in Restify with Api Keys: risk pattern, remediation examples, and secure validation techniques.Open Redirect in Restify with Bearer TokensLearn how open redirect vulnerabilities arise in Restify when Bearer tokens are mishandled, and apply concrete validatioOpen Redirect in Restify with Hmac SignaturesOpen redirect in Restify with Hmac Signatures: how it arises and how to remediate with strict redirect validation and Hm