Skip to content

Potential fix for code scanning alert no. 83: Client-side URL redirect #1133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Potential fix for code scanning alert no. 83: Client-side URL redirect #1133

wants to merge 1 commit into from

Conversation

farabi-deriv
Copy link
Contributor

Potential fix for https://github.com/deriv-com/smarttrader/security/code-scanning/83

To fix the issue, we need to ensure that the redirect_url is validated against a whitelist of trusted domains or paths before redirection. This can be achieved by maintaining a list of authorized URLs on the server or in the client code and checking the redirect_url against this list. If the redirect_url is not in the whitelist, the code should default to a safe URL.

Steps to fix:

  1. Introduce a whitelist of trusted URLs or domains in the client code.
  2. Validate the redirect_url against this whitelist before using it in window.location.replace.
  3. If the redirect_url is not in the whitelist, set it to a default safe URL.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@farabi-deriv @github-advanced-security
Potential fix for code scanning alert no. 83: Client-side URL redirect
0de76ab 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions GitHub Actions
Copy link

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails

Scanned Manifest Files

@github-actions GitHub Actions
Copy link

Name Result
Build status Failed ❌
Action URL Visit Action

github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 27, 2025
View reviewed changes
src/javascript/app/pages/callback/callback.jsx
);
}
}
getElementById('loading_link').setAttribute('href', redirect_url);

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 16 days ago

To fix the issue, we need to ensure that redirect_url is always validated against a list of trusted URLs or domains before being used in window.location.replace. This involves:

  1. Maintaining a strict list of allowed URLs or domains.
  2. Validating redirect_url against this list, even when it is modified based on language settings or other parameters.
  3. Rejecting or defaulting to a safe URL if redirect_url does not pass validation.

The changes will be made in src/javascript/app/pages/callback/callback.jsx to ensure that redirect_url is validated before redirection.

Suggested changeset 1
src/javascript/app/pages/callback/callback.jsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/javascript/app/pages/callback/callback.jsx b/src/javascript/app/pages/callback/callback.jsx
--- a/src/javascript/app/pages/callback/callback.jsx
+++ b/src/javascript/app/pages/callback/callback.jsx
@@ -85,10 +85,13 @@
             // redirect back
-            let set_default = true;
-            const trusted_urls = [
-                urlFor('user/metatrader'),
-                Client.defaultRedirectUrl(),
-                urlFor('home'),
-            ];
+            const isTrustedUrl = (url) => {
+                const trusted_urls = [
+                    urlFor('user/metatrader'),
+                    Client.defaultRedirectUrl(),
+                    urlFor('home'),
+                ];
+                return trusted_urls.includes(url);
+            };
 
-            if (redirect_url && trusted_urls.includes(redirect_url)) {
+            let set_default = true;
+            if (redirect_url && isTrustedUrl(redirect_url)) {
                 set_default = false;
@@ -96,5 +99,5 @@
 
-            if (set_default) {
-                const lang_cookie = Cookies.get('language') || getLanguage();
-                const language = getLanguage();
+           if (set_default) {
+               const lang_cookie = Cookies.get('language') || getLanguage();
+               const language = getLanguage();
                redirect_url =
@@ -110,2 +113,7 @@
            }
+
+           if (!isTrustedUrl(redirect_url)) {
+               redirect_url = Client.defaultRedirectUrl();
+           }
+
            getElementById('loading_link').setAttribute('href', redirect_url);
EOF
@@ -85,10 +85,13 @@
// redirect back
let set_default = true;
const trusted_urls = [
urlFor('user/metatrader'),
Client.defaultRedirectUrl(),
urlFor('home'),
];
const isTrustedUrl = (url) => {
const trusted_urls = [
urlFor('user/metatrader'),
Client.defaultRedirectUrl(),
urlFor('home'),
];
return trusted_urls.includes(url);
};

if (redirect_url && trusted_urls.includes(redirect_url)) {
let set_default = true;
if (redirect_url && isTrustedUrl(redirect_url)) {
set_default = false;
@@ -96,5 +99,5 @@

if (set_default) {
const lang_cookie = Cookies.get('language') || getLanguage();
const language = getLanguage();
if (set_default) {
const lang_cookie = Cookies.get('language') || getLanguage();
const language = getLanguage();
redirect_url =
@@ -110,2 +113,7 @@
}

if (!isTrustedUrl(redirect_url)) {
redirect_url = Client.defaultRedirectUrl();
}

getElementById('loading_link').setAttribute('href', redirect_url);
Copilot is powered by AI and may make mistakes. Always verify output.
src/javascript/app/pages/callback/callback.jsx
}
getElementById('loading_link').setAttribute('href', redirect_url);

window.location.replace(redirect_url); // need to redirect not using pjax

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.
Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 16 days ago

To fix the issue, we need to ensure that the redirect_url is validated against a strict list of trusted URLs and does not rely on user-controlled input. This can be achieved by maintaining a whitelist of authorized redirect paths and validating redirect_url against this whitelist. If the URL is not in the whitelist, the code should default to a safe URL.

Steps to implement the fix:

  1. Replace the trusted_urls array with a whitelist of authorized paths (e.g., /user/metatrader, /home).
  2. Extract the path from redirect_url and validate it against the whitelist.
  3. If the path is not in the whitelist, default to a safe URL.
  4. Ensure that the validation logic is robust and accounts for edge cases.
Suggested changeset 1
src/javascript/app/pages/callback/callback.jsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/javascript/app/pages/callback/callback.jsx b/src/javascript/app/pages/callback/callback.jsx
--- a/src/javascript/app/pages/callback/callback.jsx
+++ b/src/javascript/app/pages/callback/callback.jsx
@@ -86,9 +86,6 @@
             let set_default = true;
-            const trusted_urls = [
-                urlFor('user/metatrader'),
-                Client.defaultRedirectUrl(),
-                urlFor('home'),
-            ];
+            const trusted_paths = ['/user/metatrader', '/home'];
+            const url_path = new URL(redirect_url, window.location.origin).pathname;
 
-            if (redirect_url && trusted_urls.includes(redirect_url)) {
+            if (redirect_url && trusted_paths.includes(url_path)) {
                 set_default = false;
@@ -99,5 +96,5 @@
                 const language = getLanguage();
-               redirect_url =
-                   Client.isAccountOfType('financial') || Client.isOptionsBlocked()
-                       ? urlFor('user/metatrader')
+                redirect_url =
+                    Client.isAccountOfType('financial') || Client.isOptionsBlocked()
+                        ? urlFor('user/metatrader')
                        : Client.defaultRedirectUrl();
EOF
@@ -86,9 +86,6 @@
let set_default = true;
const trusted_urls = [
urlFor('user/metatrader'),
Client.defaultRedirectUrl(),
urlFor('home'),
];
const trusted_paths = ['/user/metatrader', '/home'];
const url_path = new URL(redirect_url, window.location.origin).pathname;

if (redirect_url && trusted_urls.includes(redirect_url)) {
if (redirect_url && trusted_paths.includes(url_path)) {
set_default = false;
@@ -99,5 +96,5 @@
const language = getLanguage();
redirect_url =
Client.isAccountOfType('financial') || Client.isOptionsBlocked()
? urlFor('user/metatrader')
redirect_url =
Client.isAccountOfType('financial') || Client.isOptionsBlocked()
? urlFor('user/metatrader')
: Client.defaultRedirectUrl();
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@farabi-deriv