ast/open-redirect-user-url
Open redirect: response.redirect called with user-controlled URL
What it detects
A redirect target was sourced from req.body, req.query, req.params, req.headers, ctx.request, or `userInput`. Attackers craft links like /login?next=https://evil.example.com that bounce the victim through your trusted domain and into a phishing page. Validate the redirect target against an allow-list of paths or hosts before issuing the redirect — for relative paths, also check the value starts with '/' but NOT '//' (protocol-relative).
How it runs
Each file scanned is parsed with the TypeScript Compiler API (via ts-morph). This rule walks the AST looking for the call shape and user-input flow it describes. Skipped on files larger than 200 KB or that fail to parse.
Found a false positive or want this rule tuned? File an issue. You can also suppress per-repo via a .repoguardignore line.