The objective is to prevent A10: Unvalidated Redirects and Forwards in TeamMentor (version 3.3 had an issue with it)
Here is the code that does the redirection from user import (LoginReferer parameter):
Here is the Unit test that checks for redirects that should occur:
Here is the Unit Test that checks for redirects that should fail:
A test to write next is to use FuzzDB strings (or maybe some from ESAPI or ESTAPI) in order to increase coverage.
On that topic, is there a list of Use Cases that this function should pass? (in order to make it as 'secure'?)
Note: the source files are on TeamMentor’s public GitHub repository