Skip to content

Potential fix for code scanning alert no. 83: Client-side URL redirect#1133

Draft
farabi-deriv wants to merge 1 commit intomasterfrom
fix-codeql-83
Draft

Potential fix for code scanning alert no. 83: Client-side URL redirect#1133
farabi-deriv wants to merge 1 commit intomasterfrom
fix-codeql-83

Conversation

@farabi-deriv
Copy link
Contributor

@farabi-deriv farabi-deriv commented Jun 27, 2025

Potential fix for https://github.com/deriv-com/smarttrader/security/code-scanning/83

To fix the issue, we need to ensure that the redirect_url is validated against a whitelist of trusted domains or paths before redirection. This can be achieved by maintaining a list of authorized URLs on the server or in the client code and checking the redirect_url against this list. If the redirect_url is not in the whitelist, the code should default to a safe URL.

Steps to fix:

  1. Introduce a whitelist of trusted URLs or domains in the client code.
  2. Validate the redirect_url against this whitelist before using it in window.location.replace.
  3. If the redirect_url is not in the whitelist, set it to a default safe URL.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@farabi-deriv @github-advanced-security
Potential fix for code scanning alert no. 83: Client-side URL redirect
0de76ab 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link

github-actions bot commented Jun 27, 2025

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

@github-actions
Copy link

github-actions bot commented Jun 27, 2025

Name Result
Build status Failed ❌
Action URL Visit Action

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 27, 2025
View reviewed changes
src/javascript/app/pages/callback/callback.jsx Outdated

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 9 months ago

To fix the issue, we need to ensure that redirect_url is always validated against a list of trusted URLs or domains before being used in window.location.replace. This involves:

  1. Maintaining a strict list of allowed URLs or domains.
  2. Validating redirect_url against this list, even when it is modified based on language settings or other parameters.
  3. Rejecting or defaulting to a safe URL if redirect_url does not pass validation.

The changes will be made in src/javascript/app/pages/callback/callback.jsx to ensure that redirect_url is validated before redirection.

Suggested changeset 1
src/javascript/app/pages/callback/callback.jsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/javascript/app/pages/callback/callback.jsx b/src/javascript/app/pages/callback/callback.jsx
--- a/src/javascript/app/pages/callback/callback.jsx
+++ b/src/javascript/app/pages/callback/callback.jsx
@@ -85,10 +85,13 @@
             // redirect back
-            let set_default = true;
-            const trusted_urls = [
-                urlFor('user/metatrader'),
-                Client.defaultRedirectUrl(),
-                urlFor('home'),
-            ];
+            const isTrustedUrl = (url) => {
+                const trusted_urls = [
+                    urlFor('user/metatrader'),
+                    Client.defaultRedirectUrl(),
+                    urlFor('home'),
+                ];
+                return trusted_urls.includes(url);
+            };
 
-            if (redirect_url && trusted_urls.includes(redirect_url)) {
+            let set_default = true;
+            if (redirect_url && isTrustedUrl(redirect_url)) {
                 set_default = false;
@@ -96,5 +99,5 @@
 
-            if (set_default) {
-                const lang_cookie = Cookies.get('language') || getLanguage();
-                const language = getLanguage();
+           if (set_default) {
+               const lang_cookie = Cookies.get('language') || getLanguage();
+               const language = getLanguage();
                redirect_url =
@@ -110,2 +113,7 @@
            }
+
+           if (!isTrustedUrl(redirect_url)) {
+               redirect_url = Client.defaultRedirectUrl();
+           }
+
            getElementById('loading_link').setAttribute('href', redirect_url);
EOF
@@ -85,10 +85,13 @@
// redirect back
let set_default = true;
const trusted_urls = [
urlFor('user/metatrader'),
Client.defaultRedirectUrl(),
urlFor('home'),
];
const isTrustedUrl = (url) => {
const trusted_urls = [
urlFor('user/metatrader'),
Client.defaultRedirectUrl(),
urlFor('home'),
];
return trusted_urls.includes(url);
};

if (redirect_url && trusted_urls.includes(redirect_url)) {
let set_default = true;
if (redirect_url && isTrustedUrl(redirect_url)) {
set_default = false;
@@ -96,5 +99,5 @@

if (set_default) {
const lang_cookie = Cookies.get('language') || getLanguage();
const language = getLanguage();
if (set_default) {
const lang_cookie = Cookies.get('language') || getLanguage();
const language = getLanguage();
redirect_url =
@@ -110,2 +113,7 @@
}

if (!isTrustedUrl(redirect_url)) {
redirect_url = Client.defaultRedirectUrl();
}

getElementById('loading_link').setAttribute('href', redirect_url);
Copilot is powered by AI and may make mistakes. Always verify output.
src/javascript/app/pages/callback/callback.jsx Outdated

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 9 months ago

To fix the issue, we need to ensure that the redirect_url is validated against a strict list of trusted URLs and does not rely on user-controlled input. This can be achieved by maintaining a whitelist of authorized redirect paths and validating redirect_url against this whitelist. If the URL is not in the whitelist, the code should default to a safe URL.

Steps to implement the fix:

  1. Replace the trusted_urls array with a whitelist of authorized paths (e.g., /user/metatrader, /home).
  2. Extract the path from redirect_url and validate it against the whitelist.
  3. If the path is not in the whitelist, default to a safe URL.
  4. Ensure that the validation logic is robust and accounts for edge cases.
Suggested changeset 1
src/javascript/app/pages/callback/callback.jsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/javascript/app/pages/callback/callback.jsx b/src/javascript/app/pages/callback/callback.jsx
--- a/src/javascript/app/pages/callback/callback.jsx
+++ b/src/javascript/app/pages/callback/callback.jsx
@@ -86,9 +86,6 @@
             let set_default = true;
-            const trusted_urls = [
-                urlFor('user/metatrader'),
-                Client.defaultRedirectUrl(),
-                urlFor('home'),
-            ];
+            const trusted_paths = ['/user/metatrader', '/home'];
+            const url_path = new URL(redirect_url, window.location.origin).pathname;
 
-            if (redirect_url && trusted_urls.includes(redirect_url)) {
+            if (redirect_url && trusted_paths.includes(url_path)) {
                 set_default = false;
@@ -99,5 +96,5 @@
                 const language = getLanguage();
-               redirect_url =
-                   Client.isAccountOfType('financial') || Client.isOptionsBlocked()
-                       ? urlFor('user/metatrader')
+                redirect_url =
+                    Client.isAccountOfType('financial') || Client.isOptionsBlocked()
+                        ? urlFor('user/metatrader')
                        : Client.defaultRedirectUrl();
EOF
@@ -86,9 +86,6 @@
let set_default = true;
const trusted_urls = [
urlFor('user/metatrader'),
Client.defaultRedirectUrl(),
urlFor('home'),
];
const trusted_paths = ['/user/metatrader', '/home'];
const url_path = new URL(redirect_url, window.location.origin).pathname;

if (redirect_url && trusted_urls.includes(redirect_url)) {
if (redirect_url && trusted_paths.includes(url_path)) {
set_default = false;
@@ -99,5 +96,5 @@
const language = getLanguage();
redirect_url =
Client.isAccountOfType('financial') || Client.isOptionsBlocked()
? urlFor('user/metatrader')
redirect_url =
Client.isAccountOfType('financial') || Client.isOptionsBlocked()
? urlFor('user/metatrader')
: Client.defaultRedirectUrl();
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@farabi-deriv