javascript.browser.security.open-redirect-from-function.js-open-redirect-from-function
semgrep
Author
unknown
Download Count*
License
The application accepts potentially user-controlled input $PROP
which can control the location of the current window context. This can lead two types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS) with JavaScript URIs. It is recommended to validate user-controllable input before allowing it to control the redirection.
Run Locally
Run in CI
Defintion
rules:
- id: js-open-redirect-from-function
message: The application accepts potentially user-controlled input `$PROP` which
can control the location of the current window context. This can lead two
types of vulnerabilities open-redirection and Cross-Site-Scripting (XSS)
with JavaScript URIs. It is recommended to validate user-controllable
input before allowing it to control the redirection.
metadata:
confidence: LOW
cwe:
- "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"
owasp:
- A01:2021 - Broken Access Control
asvs:
section: V5 Validation, Sanitization and Encoding
control_id: 5.5.1 Insecue Redirect
control_url: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md#v51-input-validation
version: "4"
category: security
references:
- https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html
technology:
- browser
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
subcategory:
- vuln
likelihood: LOW
impact: MEDIUM
vulnerability_class:
- Open Redirect
languages:
- javascript
- typescript
severity: INFO
mode: taint
pattern-sources:
- patterns:
- pattern-inside: |
function ... (..., $PROP, ...) { ... }
- focus-metavariable: $PROP
pattern-sinks:
- patterns:
- pattern-either:
- pattern: location.href = $SINK
- pattern: window.location.href = $SINK
- pattern: this.window.location.href = $SINK
- pattern: this.location.href = $SINK
- pattern: location.replace($SINK)
- pattern: window.location.replace($SINK)
- pattern: this.window.location.replace($SINK)
- pattern: this.location.replace($SINK)
- focus-metavariable: $SINK
- metavariable-pattern:
patterns:
- pattern-not: |
"..." + $VALUE
- pattern-not: |
`...${$VALUE}`
metavariable: $SINK
Examples
open-redirect-from-function.js
var hi = new URLSearchParams(window.location.search).get('gamer')
var hi1 = new URLSearchParams(window.location.search)
function test1(userInput) {
//ruleid:js-open-redirect-from-function
location.href = userInput;
//ruleid:js-open-redirect-from-function
location.href = `${userInput}/hi`
}
function test4(userInput) {
// ok:js-open-redirect-from-function
location.href = `https://www.hardcoded.place/${userInput}`
// ok:js-open-redirect-from-function
location.href = "https://www.hardcoded.place/" + userInput;
}
Short Link: https://sg.run/P39e