Can a user be redirected to a malicious website if only a part of the url can be controlled by user input?

Question

I have a site located at

https://gooddomain.com/wonderful?returnPath=goodThings

which redirects me to

https://gooddomain.com/somegoodplace/goodThings

At the server side, the redirect is defined by

String path = request.getparameter("retrunPath");
String rPath = "redirect:/somegoodplace/"+ path;
return new ModelAndView(rPath, model);

Is there a payload for 'returnPath' parameter which an attacker can use to redirect an unsuspecting user to https://evil.com.

Or

Is the risk of open redirection completely mitigated with the use of redirect prefix?

Is there any other attack possible with this code? [perhaps XSS as user supplied value gets reflected on the address bar.]

Answer 1

Is there a payload for 'returnPath' parameter which an attacker can use to redirect an unsuspecting user to https://evil.com.

No.If you only control a part of redirection URL a Open redirect vulnerability is not possible in such a case.

Is there any other attack possible with this code? [perhaps XSS as user supplied value gets reflected on the address bar.

XSS is definitely possible but it is impossible to answer with the information you have provided.Maybe the returnPath variable gets reflected back into the html page without input sanitization,Maybe its gets stored and then reflected without sanitization(far fetched) or maybe it gets printed via Sinks(DOM based).

Is there any other attack possible with this code?

By that i assume the three line code you pasted?No.