I am using Ruby on Rails 4.1.1 and I would like to accept a redirect_path parameter in order to redirect users after they have performed an action. I read the OWASP documentation about related concerns (phishing attacks) but I did not understand something. The documentation states:
The most basic, but restrictive protection is to use the :only_path option. Setting this to true will essentially strip out any host information.
redirect_to params[:url], :only_path => true
Is the redirect_to params[:url], :only_path => true enough in order to avoid phishing attacks? There may be other pitfalls?
Brakeman suggests two strategies to mitigate the risks:
only_path as you did;URI.parse(some_url).pathIn past projects I've rewrote that helper to be sure nobody would accidentally forget the extra param of #1.