← all rules
code/js-open-redirect
Open redirect: res.redirect with user-controlled URL
What it detects
Redirecting to a URL derived from the request allows attackers to craft phishing links that look genuine. Validate against an allowlist or relative paths only.
How it runs
Applied line-by-line via a tagged regex with language-specific gating. Comments are skipped. Designed for high-confidence patterns where AST parsing would be overkill.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.