Install command
Not provided
Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target.
Open the source and read safety notes before installing.
Source-backed facts for citing this resource, derived directly from the registry — also available as plain text for AI assistants.
Decision playbook
Signals are present but mixed. Use the checklist below to confirm the source and operational safety for your environment.
0
78
—
No baseline selected
No major trust-signal divergence detected in the current selection.
Confirm ownership and provenance before trusting install instructions.
Source link availableRequired
Open the canonical repository and verify ownership.
Source provenance statusRequired
Marked as source-backed.
Metadata reviewed
Registry metadata indicates a reviewed listing.
Validate risk disclosures before installation or API wiring.
Safety notes presentRequired
Review the listed safety guidance before running commands.
Privacy notes presentRequired
Review data handling notes before connecting accounts or secrets.
Trust level risk gateRequired
Trust level does not block evaluation.
Check package metadata and artifact integrity signals.
Install payload available
Install or copy payload is available for review.
Package verification flag
No package verification flag provided.
Checksum metadata
No checksum provided for downloaded artifact.
Use compare context to validate trade-offs before adoption.
Compare tray has multiple entries
Add at least one more entry to compare trust differences.
Baseline comparison available
No baseline peer selected yet.
Diverging trust signals identified
No major trust-signal divergence found.
Setup at a glance
Copy-ready — paste the snippet to get started.
Install command
Not provided
Config snippet
Not provided
Copy snippet
Provided
Prerequisites
4 to clear
Platforms
1 listed
Install type
Copy & paste
Adoption plan
Current risk score 16/100. Use staged verification before broader rollout.
Validate source and review signals before any execution.
Confirm source provenanceRequired
Source URL/provenance metadata is present.
Confirm metadata review state
Listing has review metadata.
Verify install payload
Install/config payload exists and can be inspected.
Confirm safety, privacy, and package integrity signals.
Review safety notesRequired
Safety notes are present.
Review privacy notesRequired
Privacy notes are present.
Verify package integrity metadata
No package verification/checksum metadata.
Adopt in controlled steps based on the selected plan.
Run in isolated sandbox firstRequired
Use a constrained sandbox and observe behavior across multiple tasks.
Roll out graduallyRequired
Roll out to a small cohort before wider usage.
Set monitoring and fallback
Define rollback path and monitor errors after adoption.
Evidence readiness
Required evidence gates are covered (5/6 signals complete).
Source repository/provenance is listed.
Required in this preset
Review metadata is present.
Required in this preset
Safety notes are present.
Required in this preset
Privacy notes are present.
Optional in this preset
Package integrity metadata is missing.
Optional in this preset
Install payload is available.
Required in this preset
Required evidence gates are covered for this preset.
Decision timeline
5/6 steps complete with no blocking gaps for this preset.
triage
Source/provenance metadata is available.
triage
Review metadata is available.
verify
Safety notes are available.
verify
Privacy notes are available.
verify
Package integrity metadata is missing.
rollout
Install payload is available.
No required blockers for this timeline preset.
Prerequisite readiness
4 prerequisites to line up before setup.
Safety & privacy surface
3 safety and 2 privacy notes across 4 risk areas. Review closely: credentials & tokens, network access.
You are reviewing AI-generated code for open redirect (unvalidated
redirect/forward) risk.
Rules:
1. Identify every redirect or forward whose destination is built from
request input — a query parameter (`?url=`, `?next=`, `?returnUrl=`,
`?redirect=`), a form field, a header, or a stored value the user can
set — rather than a hardcoded, developer-chosen destination.
2. Prefer not taking a destination from the client at all: use a fixed
redirect target, or an indexed/enum mapping (`"dashboard"` ->
`/app/dashboard`) where the client sends a key, not a URL.
3. When a caller-supplied return destination is genuinely required (for
example a post-login redirect), restrict it to a relative, same-origin
path and reject any value that is an absolute URL, starts with `//`
(protocol-relative), or contains a scheme (`http:`, `https:`,
`javascript:`, etc.).
4. If an absolute URL destination is unavoidable, validate the host
against an explicit allowlist of trusted domains — do not accept "the
path contains our domain name" or a prefix/substring check, since
`evil.com/mysite.com` and `mysite.com.evil.com` both satisfy a naive
substring check.
5. Treat this as more than a phishing issue: an unvalidated redirect can
also be chained to bypass an allowlist-based access control check (a
WAF or gateway that trusts the first hop) or to forward a user to a
privileged internal endpoint they should not reach directly.
6. Confirm any code that runs after the redirect call actually stops
(`return`/`exit`/equivalent) — in some languages the redirect response
header can be set without halting execution, letting the rest of the
handler run for a client that ignores the redirect.Use these rules when an AI coding assistant writes or edits code that redirects or forwards a request to a URL influenced by user input. The goal is to stop a generated "return to previous page," post-login redirect, or similar feature from becoming an open redirect that phishing campaigns or access-control bypasses can exploit.
This is a review policy, not an open-redirect tutorial. It tells reviewers what must be true about a generated redirect's destination handling before the change is safe to merge.
Collect enough context to know where a redirect destination comes from and where it can send a user.
//
(protocol-relative, which browsers treat as absolute), or contain a
scheme such as http:, https:, or javascript:..includes()/prefix check on the whole URL string.Location header does
not itself halt the rest of the function, so code intended to run "after
redirect" can still execute for a client that doesn't follow it.Block merge when any of these is true.
.includes() check on the
trusted domain instead of parsing the URL and comparing the actual host.// or containing a scheme (javascript:, https:, etc.) are rejected as relative paths"}AI assistants can write and review redirect logic, but they should show their evidence.
//evil.example) destination is rejected,
not just that the happy-path destination works.Before adding a new redirect destination check, confirm the codebase does not already have a shared "safe redirect" helper or allowlist. A generated change that builds a new ad hoc validation next to an existing shared helper should be treated as suspicious — check whether the existing mechanism was simply not reused before introducing a second, potentially inconsistent one.
| Pattern | Risk | Fix |
|---|---|---|
redirect(request.params.url) |
Destination fully attacker-controlled | Indexed mapping or relative-path-only restriction |
url.includes("trusted.com") |
trusted.com.evil.com and similar bypass it |
Parse URL, compare exact host against an allowlist |
| Login return URL from query string, unchecked | Chainable with credential phishing | Same-origin relative path only for auth-flow redirects |
//evil.example accepted as "relative" |
Browsers treat // as protocol-relative (absolute) |
Reject any destination starting with // |
Code after sendRedirect/header("Location") |
May still execute if the client ignores the redirect | Explicit return/exit immediately after issuing it |
Show that AI-Generated Open Redirect Review Rules is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/rules/ai-generated-open-redirect-review-rules)AI-Generated Open Redirect Review Rules side by side with 3 alternatives on trust, install, platform support, and disclosed safety notes — all from reviewed registry metadata.
1 trust signal differ across this comparison (Submitter).
| Field | Source-backed rules for reviewing AI-generated redirect and forward logic before merge for open redirect risk, covering allowlist-based destination validation, relative-path/indexed-mapping alternatives to raw URLs, and the privilege-escalation and phishing impact of an unvalidated redirect target. Open dossier | Source-backed rules for reviewing AI-generated request handlers and forms before merge for cross-site request forgery risk, covering state-changing method discipline, anti-CSRF token correctness, SameSite cookie posture, origin and referer checks, and safe handling of cookie-based sessions. Open dossier | Source-backed rules for reviewing AI-generated code that deserializes data before merge for insecure deserialization risk, covering native serialization formats (pickle, PyYAML, Java Serializable) that can execute arbitrary code on untrusted input, safe data-interchange alternatives, and class allowlisting/integrity checks when native formats can't be avoided. Open dossier | Source-backed rules for reviewing AI-generated code that binds request parameters to model/entity objects before merge for mass assignment risk, covering allowlist field binding, DTOs that exclude sensitive fields, and the framework-specific autobinding features that make this easy to introduce by default. Open dossier |
|---|---|---|---|---|
| Next steps | ||||
| Trust | ||||
| Review status | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed | ReviewedMaintainer reviewed |
| Package trust | Package not verified | Package not verified | Package not verified | Package not verified |
| Source provenance | Source-backed | Source-backed | Source-backed | Source-backed |
| SubmitterDiffers | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Install risk | Review first | Review first | Review first | Review first |
| Notes | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ | Safety ✓ Privacy ✓ |
| Brand | — | — | — | — |
| Category | rules | rules | rules | rules |
| Source | source-backed | source-backed | source-backed | source-backed |
| Author | lourincedaging0-commits | jaso0n0818 | lourincedaging0-commits | lourincedaging0-commits |
| Added | 2026-07-15 | 2026-06-22 | 2026-07-15 | 2026-07-15 |
| Platforms | Claude Code | Claude Code | Claude Code | Claude Code |
| Source repo | — | — | — | — |
| Safety notes | ✓An open redirect lets an attacker craft a link that appears to point at the trusted site but silently forwards the victim to an attacker-controlled page, commonly used to make phishing links look more credible or to complete an OAuth/SSO flow against a fake page. AI assistants often implement a 'return to where you came from' or 'next page' feature by echoing a raw URL parameter straight into a redirect, because it is the shortest working implementation and the happy path (a same-site link) looks correct. A naive fix that checks whether the destination string 'contains' the trusted domain is not sufficient — `https://trusted.com.attacker.com` and `https://attacker.com/?trusted.com` both pass a substring check while pointing off-site. | ✓A missing CSRF defense lets a malicious page perform state-changing actions as a logged-in user — transferring funds, changing email or password, or deleting data — using the victim's ambient cookies. AI assistants often generate handlers that work in tests yet omit token validation or perform state changes on GET, because the happy path succeeds without any forged cross-site request. Relying on SameSite cookies alone is not sufficient: defaults vary, Lax still allows top-level GET navigations, and some clients or legacy browsers do not enforce it. | ✓Deserializing untrusted data with a native format's full-featured API (pickle, unsafe YAML, Java Serializable, PHP unserialize) can cause denial-of-service or remote code execution — the vulnerability triggers during deserializing itself, before any application logic runs on the result. AI assistants often reach for the most convenient deserialization call (pickle for Python object graphs, yaml.load for config-like YAML, ObjectInputStream for Java) without checking whether the input is trusted, since developer-controlled test data works regardless of which API is used. An integrity check (signature/MAC) added after deserialization already ran does not help — the attack happens during deserialization, so the check must gate the deserialization call itself, not just the object it produces. | ✓Mass assignment lets an attacker set fields on a model that were never meant to be user-editable — a privilege flag, an ownership reference, a price — simply by adding an extra parameter the client controls to a request that already succeeds for legitimate fields. AI assistants often generate the shortest working binding code (bind the whole request body onto the model, or a framework's default autobinding) because it passes the happy-path test with only the intended fields present, without adding the allowlist/DTO layer that blocks unintended ones. This is not a theoretical risk: a mass assignment vulnerability in GitHub's own public-key update form in 2012 let an attacker add their SSH key to the rails organization and push code, entirely through an unintended request parameter. |
| Privacy notes | ✓Open redirect proof-of-concept links can be used to demonstrate credential phishing; avoid pointing a demonstration at a real external site or capturing real user credentials, use a controlled test domain instead. Redirect destination parameters are sometimes logged for analytics; ensure logs of attempted-and-blocked off-site redirects don't retain full attacker payload URLs longer than needed for the security review. | ✓CSRF tokens are security credentials; do not paste real tokens, session cookies, or production request captures into public PR comments or issues. Use synthetic accounts and redacted requests when demonstrating a CSRF proof of concept, and avoid attaching real user identifiers. Be careful that anti-CSRF tokens are not written into URLs, analytics, or logs, where they can leak through referer headers or shared dashboards. | ✓Deserialization proof-of-concept payloads (e.g. a crafted pickle or Java serialized stream) can trigger real code execution in a test environment; run them only in an isolated, disposable sandbox, never against a shared or production system. Do not commit real crafted exploit payloads, credentials, or internal class/package names discovered while testing into a public PR or issue; describe the vulnerable pattern instead of attaching a working exploit. | ✓Mass assignment proof-of-concept testing (setting an unintended field like an admin flag) can grant real elevated access in a shared test environment; use an isolated account and environment, never a shared staging or production system. Do not commit a working exploit request (the exact extra parameter and target field) targeting a real internal endpoint into a public PR or issue; describe the vulnerable binding pattern and the class of field involved instead. |
| Prerequisites |
|
|
|
|
| Install | — | — | — | — |
| Config | — | — | — | — |
| Citations | ||||
| Claim | Unclaimed | Unclaimed | Unclaimed | Unclaimed |
Source-backed guides for putting this to work.
Review AI-generated pull requests with repeatable security, test, and evidence checks.
Loading live community signals…
A short, calm digest of reviewed Claude resources. Unsubscribe any time.