labmlai
Detect open linking - url_for(params) without only_path or host
I sometimes use this pattern when linking to the same version of a page, but with a parameter changed (for example, linking to the same page in a different locale).
url_for(params.except(:locale).merge({:locale => locale)
An attacker can pass ?host=evilsite.com to the linking page which will make my link point to their site. I can fix this by including :only_path => true or :host => 'mysite.com'. Just as brakeman checks for open redirects when using redirect_to it also should check for open linking when using url_for and similar methods.
Hi Jason,
Sounds like a good idea to me, but isn't it more common to use link_to?
I lied in the above comment, I'm actually making a <link rel="alternate">, which is why I mentionned url_for rather than link_to. This seems like it would be a good idea for both of those methods, and anything else simmilar.