Insecure page redirects

Why is this an issue?

This rule identifies potential security vulnerabilities known as open redirects.

If an application allows user-controlled input to dictate the destination of a redirect without validation, an attacker can manipulate that input. They can redirect users from your trusted Salesforce domain to a malicious site. This is frequently used in phishing attacks to steal credentials, as the user trusts the initial link pointing to your domain.

Examples

This rule flags any PageReference constructed from user-controlled input. The following sources are considered user input:

Visualforce page parameters via ApexPages.currentPage().getParameters()
Aura/LWC controller parameters on methods annotated with @AuraEnabled
REST API inputs via RestContext.request or @HttpPost/@HttpGet method parameters

Visualforce page parameters

Example of incorrect code:

public PageReference redirectUser() {
    // Violation: User input is passed directly to PageReference
    String url = ApexPages.currentPage().getParameters().get('url');
    return new PageReference(url);
}

Example of correct code:

public PageReference redirectUser() {
    String url = ApexPages.currentPage().getParameters().get('url');
    // Fixed: The path is forced to be relative to the current domain
    return new PageReference('/' + url);
}

Aura/LWC controller parameters

Example of incorrect code:

@AuraEnabled
public static PageReference navigate(String destination) {
    // Violation: The Aura parameter is used directly in PageReference
    return new PageReference(destination);
}

Example of correct code:

@AuraEnabled
public static PageReference navigate(String destination) {
    return new PageReference('/' + destination);
}

REST API inputs

Example of incorrect code:

@RestResource(urlMapping='/redirect/*')
global class RedirectService {
    @HttpPost
    global static void doPost(String targetUrl) {
        // Violation: REST parameter is used directly in PageReference
        PageReference page = new PageReference(targetUrl);
    }
}

Example of correct code:

@RestResource(urlMapping='/redirect/*')
global class RedirectService {
    @HttpPost
    global static void doPost(String targetUrl) {
        PageReference page = new PageReference('/' + targetUrl);
    }
}

How can I fix violations?

To resolve this issue, you must ensure the redirect targets a resource within your own application (a local redirect).

When prepending a slash to force a relative path, the '/' literal must be the left-most operand of the concatenation. For example, new PageReference('/' + userInput) is recognized as safe, but new PageReference(userInput + '/' + otherValue) is not, because the user-controlled value still comes first.

If you must redirect to an external URL, you should validate the input against a strict allow-list of trusted domains before creating the PageReference.

When should I disable this rule?

You may need to dismiss specific violations or disable this rule if your application has a legitimate business requirement to redirect users to arbitrary external websites, or you are using a complex validation logic that static analysis cannot detect.