/**
 * @name Open URL redirect
 * @description Open URL redirection based on unvalidated user input
 *              may cause redirection to malicious web sites.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 6.1
 * @id go/unvalidated-url-redirection
 * @tags security
 *       external/cwe/cwe-601
 * @precision high
 */

import go
import semmle.go.security.OpenUrlRedirect
import semmle.go.security.SafeUrlFlow
import OpenUrlRedirect::Flow::PathGraph

from OpenUrlRedirect::Flow::PathNode source, OpenUrlRedirect::Flow::PathNode sink
where
  OpenUrlRedirect::Flow::flowPath(source, sink) and
  // this excludes flow from safe parts of request URLs, for example the full URL when the
  // doing a redirect from `http://<path>` to `https://<path>`
  not SafeUrlFlow::Flow::flowTo(sink.getNode())
select sink.getNode(), source, sink, "This path to an untrusted URL redirection depends on a $@.",
  source.getNode(), "user-provided value"