admin管理员组文章数量:1356952
I have below code in service.ts file and VeraCode code scan fails
Flaws by CWE ID: URL Redirection to Untrusted Site ('Open Redirect') (CWE ID 601)(16 flaws) Description A web application accepts a untrusted input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.
Please help me to fix this
Service.ts:
public exportReviews(searchReviewData: SurveillanceReviewSearchViewModel): Observable<SurveillanceReviewSearchViewModel> {
this._urlSurveillanceDetails = this.baseHref +"/ReviewProfile/ExportReviews";
const headers: HttpHeaders = new HttpHeaders();
headers.append('Content-Type', 'application/json');
return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, searchReviewData, { headers: headers }); // flaw identified on this line
}
public getReviewsBySearchSessionId(searchsessionId): Observable<SurveillanceReviewSearchViewModel> {
this._urlSurveillanceDetails = this.baseHref + "/ReviewProfile/SearchReviewsBySessionId" + '?searchsessionId=' + searchsessionId;
var headers = new HttpHeaders();
headers.append('Content-Type', 'application/json');
this._urlSurveillanceDetails = this.sanitizer.sanitize(SecurityContext.RESOURCE_URL, this.sanitizer.bypassSecurityTrustResourceUrl(this._urlSurveillanceDetails));
return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, headers); // flaw identified on this line
}
I have below code in service.ts file and VeraCode code scan fails
Flaws by CWE ID: URL Redirection to Untrusted Site ('Open Redirect') (CWE ID 601)(16 flaws) Description A web application accepts a untrusted input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.
Please help me to fix this
Service.ts:
public exportReviews(searchReviewData: SurveillanceReviewSearchViewModel): Observable<SurveillanceReviewSearchViewModel> {
this._urlSurveillanceDetails = this.baseHref +"/ReviewProfile/ExportReviews";
const headers: HttpHeaders = new HttpHeaders();
headers.append('Content-Type', 'application/json');
return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, searchReviewData, { headers: headers }); // flaw identified on this line
}
public getReviewsBySearchSessionId(searchsessionId): Observable<SurveillanceReviewSearchViewModel> {
this._urlSurveillanceDetails = this.baseHref + "/ReviewProfile/SearchReviewsBySessionId" + '?searchsessionId=' + searchsessionId;
var headers = new HttpHeaders();
headers.append('Content-Type', 'application/json');
this._urlSurveillanceDetails = this.sanitizer.sanitize(SecurityContext.RESOURCE_URL, this.sanitizer.bypassSecurityTrustResourceUrl(this._urlSurveillanceDetails));
return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, headers); // flaw identified on this line
}
-
Ensure you sanitize the data in
searchReviewDatabefore passing it along. – Batman Commented Oct 24, 2020 at 8:31 - @RichardBarker - i tried sanitize in "getReviewsBySearchSessionId" funtion but still im getting same issue in next line.I updated the code in question section. – KARTHIKEYAN DEIVASENAKANTHAN Commented Oct 24, 2020 at 9:59
2 Answers
Reset to default 4This is a false positive. The request url is not built from untrusted user input or user input in general. Static code analysis is not perfect and you'll experience false positives all over the place.
You can use encodeURI() method to encode the parameters which are getting detected under CWE-601, it could be false positive as others have mentioned, but encodeURI() wraps the parameters so that Veracode doesn't detect it as a security flaw.
本文标签: javascriptURL Redirection to Untrusted SiteStack Overflow
版权声明:本文标题:javascript - URL Redirection to Untrusted Site - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744016135a2576363.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论