Restricting redirects through Scala Stream Collector

We just transitioned email link click tracking from an old home-grown service to our collectors using the “/r/tp2” endpoint. Our security staff have expressed concern that the redirects are wide open so that a phisher could redirect users to a malicious site using the collector’s redirect functionality. Is anyone aware of a mechanism we can use to lockdown the redirects?


Any update or good way to fix this default behaviour?

@igorbrigadir, if you are not using the redirect feature yourself, you should disable that endpoint in the collector

enableDefaultRedirect = false

If you do use it yourself, the best option is to use AWS WAF or Google Cloud Armor enabled (depending on your cloud). It lets you block traffic that matches rules you define, such as a regex that the value of the u parameter must match.



In case it helps someone else: I ended up using a traefik router rule to block anything that isn’t the domains i allow, like this:

Host(``) && PathPrefix(`/r`) && Query(`u={u:(http[s]?)(%3A)(%2F){2}(www\.)?((allowed1\.com)|(allowed2\.com)|(allowed3\.com))(.*)}`)

So if your collector redirect url is like:

it will match the rule and work, but if it’s

it won’t match and fail, blocking the open redirect.

I’ve added this as an issue to the collector because I don’t think it would be particularly difficult to support and it seems like useful functionality.

1 Like