CodeQL alert SM01507: Client-side URL redirect in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet
Closed this issue · 1 comments
BruceHaley commented
Repro Steps
Summary:
CodeQL detected the following issue: Client-side URL redirect (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/blob/main/build/AnalyzeDeps/InterdependencyGraph.html#L346&lineStartColumn=16&lineEndColumn=19
File: /build/AnalyzeDeps/InterdependencyGraph.html
Location: Line 346, Column 16 - 19
Link: (Link to LGTM)
Recommendations:
Untrusted URL redirection due to user-provided value.
Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204
Requirement: CodeQL.SM01507 (Link to Liquid Requirement)
Confidence: high
System Info
This issue is a copy of ADO work item 77283 created by CodeQL.
This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)
BruceHaley commented
Original Work Item Details
| Created date | Created by | Changed date | Changed By | Assigned To | State | Type | Area Path | Iteration Path |
|---|---|---|---|---|---|---|---|---|
| 2022-09-22T00:00:33.227Z | Bruce Haley | 2022-10-11T18:59:14.997Z | Bruce Haley | Tracy Boehrer | New | Bug | SDK_v4\Code Analysis | SDK_v4\Sprint 1 |
Original Work Item JSON
{
"fields": {
"BotFramework.IsException": false,
"Custom.SecuritySeverity": "Important",
"Microsoft.VSTS.Common.Priority": 2,
"Microsoft.VSTS.Common.Severity": "2 - High",
"Microsoft.VSTS.Common.StateChangeDate": "2022-09-22T00:00:33.227Z",
"Microsoft.VSTS.Common.ValueArea": "Business",
"Microsoft.VSTS.TCM.ReproSteps": "<b>Summary: </b><br>CodeQL detected the following issue: <b>Client-side URL redirect</b> (<a href=\"https://onees.lgtm.microsoft.com/rules/1000661\">Help link</a>)<br><b>Repository:</b> <a href=\"https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19\">https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19</a><br><b>File:</b> /build/AnalyzeDeps/InterdependencyGraph.html<br><b>Location:</b> Line 346, Column 16 - 19<br><b>Link:</b> (<a href=\"https://onees.lgtm.microsoft.com/issues/1011776/javascript/muXVprDc19olB3p7dbb2kDtHUuA=\">Link to LGTM</a>)<br><br><b>Recommendations:</b><br>Untrusted URL redirection due to user-provided value.\n<br>Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.<br><b>Microsoft requirement(s):</b> Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204<br><b>Requirement:</b> CodeQL.SM01507 (<a href=\"https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM01507\">Link to Liquid Requirement</a>)<br><b>Confidence:</b> high",
"Microsoft.VSTS.TCM.SystemInfo": "This item was created with <b>CodeQL</b> automated bug filer from CodeQL static analysis tool (formerly known as Semmle).<br>For more information, see <a href=\"https://aka.ms/CodeQL\">CodeQL @ Microsoft</a>.To change onboarding settings, visit <a href=\"https://semmleportal.azurewebsites.net\">CodeQL Portal</a>.<br>To suppress, add a comment in code (see more details <a href=\"https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/codeql-semmle#guidance-on-suppressions\">here</a>.)",
"System.AreaId": 140243,
"System.AreaLevel1": "SDK_v4",
"System.AreaLevel2": "Code Analysis",
"System.AreaPath": "SDK_v4\\Code Analysis",
"System.AssignedTo": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk"
}
},
"descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk",
"displayName": "Tracy Boehrer",
"id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk",
"uniqueName": "trboehre@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd"
},
"System.AuthorizedAs": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl"
}
},
"descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"displayName": "Bruce Haley",
"id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"uniqueName": "v-brucehaley@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e"
},
"System.AuthorizedDate": "2022-10-11T18:59:14.997Z",
"System.ChangedBy": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl"
}
},
"descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"displayName": "Bruce Haley",
"id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"uniqueName": "v-brucehaley@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e"
},
"System.ChangedDate": "2022-10-11T18:59:14.997Z",
"System.CommentCount": 1,
"System.CreatedBy": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl"
}
},
"descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"displayName": "Bruce Haley",
"id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"uniqueName": "v-brucehaley@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e"
},
"System.CreatedDate": "2022-09-22T00:00:33.227Z",
"System.Description": "<b>Summary: </b><br>CodeQL detected the following issue: <b>Client-side URL redirect</b> (<a href=\"https://onees.lgtm.microsoft.com/rules/1000661\">Help link</a>)<br><b>Repository:</b> <a href=\"https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19\">https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19</a><br><b>File:</b> /build/AnalyzeDeps/InterdependencyGraph.html<br><b>Location:</b> Line 346, Column 16 - 19<br><b>Link:</b> (<a href=\"https://onees.lgtm.microsoft.com/issues/1011776/javascript/muXVprDc19olB3p7dbb2kDtHUuA=\">Link to LGTM</a>)<br><br><b>Recommendations:</b><br>Untrusted URL redirection due to user-provided value.\n<br>Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.<br><b>Microsoft requirement(s):</b> Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204<br><b>Requirement:</b> CodeQL.SM01507 (<a href=\"https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM01507\">Link to Liquid Requirement</a>)<br><b>Confidence:</b> high",
"System.Id": 77283,
"System.IterationId": 139042,
"System.IterationLevel1": "SDK_v4",
"System.IterationLevel2": "Sprint 1",
"System.IterationPath": "SDK_v4\\Sprint 1",
"System.NodeName": "Code Analysis",
"System.PersonId": 48095448,
"System.Reason": "New defect reported",
"System.Rev": 3,
"System.RevisedDate": "9999-01-01T00:00:00Z",
"System.State": "New",
"System.Tags": "CodeQL; external/cwe/cwe-079; external/cwe/cwe-116; external/cwe/cwe-601; sdl-recommended; sdl-required; security; ServiceOid 0ab2a10f-f0a6-40c7-8b24-f718d4c3cf88",
"System.TeamProject": "SDK_v4",
"System.Title": "CodeQL alert SM01507: Client-side URL redirect in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet",
"System.Watermark": 325232,
"System.WorkItemType": "Bug",
"WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column": "New",
"WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column.Done": false,
"WEF_2AF1BD8A732542D29D4104AD064A9D25_System.ExtensionMarker": false
},
"id": 77283,
"relations": [
{
"attributes": {
"authorizedDate": "2022-09-22T00:00:33.227Z",
"comment": "Liquid requirement link",
"id": 6911019,
"resourceCreatedDate": "2022-09-22T00:00:33.227Z",
"resourceModifiedDate": "2022-09-22T00:00:33.227Z",
"revisedDate": "9999-01-01T00:00:00Z"
},
"rel": "Hyperlink",
"url": "https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM01507"
},
{
"attributes": {
"authorizedDate": "2022-09-22T00:00:33.227Z",
"comment": "Issue in LGTM",
"id": 6911018,
"resourceCreatedDate": "2022-09-22T00:00:33.227Z",
"resourceModifiedDate": "2022-09-22T00:00:33.227Z",
"revisedDate": "9999-01-01T00:00:00Z"
},
"rel": "Hyperlink",
"url": "https://onees.lgtm.microsoft.com/issues/1011776/javascript/muXVprDc19olB3p7dbb2kDtHUuA="
}
],
"rev": 3,
"url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283"
}
Work Item Comments (1)
| Created date | Created by | JSON URL |
|---|---|---|
| 2022-09-22T00:00:33.227Z | Bruce Haley | URL |
Comment text: Security Rating: Important