react-doctor/untrusted-redirect-following

Following a redirect from a request-supplied URL without re-validating each hop lets an attacker bounce your server into internal addresses (server-side request forgery).

• Category: Security
• Severity: warn
• Source: oxlint-plugin-react-doctor
• Framework: global
• Enabled when: server route source files only — server-context dirs (api/backend/server/functions/lambdas/workers, *.server.*) plus middleware.* and route.* entrypoints

Validation prompt

Use this to decide whether a fired diagnostic is real or a false positive.

Fires in server route code on an outbound fetch(url …) (bare fetch, not this.fetch or other method fetches), axios.get/post/put/delete/head(, got(, or got.get/post( whose URL argument BOTH is named like caller input (url, targetUrl, callbackUrl, redirectUrl, webhookUrl, imageUrl, next, returnTo, destination, location, …) AND is request-sourced — read directly from req./request.query|body|params|nextUrl/searchParams/params./body./query., or a bare identifier assigned from one of those in the same file — with no redirect: "manual" or redirect: "error" within 5 lines of the call. FALSE POSITIVE: the URL is validated against a host allowlist before the fetch, or its target is actually a trusted constant the name only resembles caller input; since the default mode silently follows redirects to a new origin, prefer manual mode even then.

Fix prompt

Use this once validation confirms the diagnostic is real.

Set redirect: "manual" (fetch) or maxRedirects: 0 / followRedirect: false (axios/got) and re-validate the Location of every hop against a strict host allowlist before following it. Resolve the final host, reject private and link-local IP ranges, and only then make the follow-up request. Never pass raw request input into an auto-following fetch.