CodeQL alert SM01507: Client-side URL redirect in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet

Original Work Item Details

| Created date | Created by | Changed date | Changed By | Assigned To | State | Type | Area Path | Iteration Path| |---|---|---|---|---|---|---|---|---| | 2022-09-22T00:00:33.227Z | Bruce Haley | 2022-09-22T00:00:33.227Z | Bruce Haley | Tracy Boehrer | New | Bug | SDK_v4\Code Analysis | SDK_v4\Sprint 1 |

Original Work Item JSON

```json { "commentVersionRef": { "commentId": 5137152, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283/comments/5137152/versions/1", "version": 1 }, "fields": { "BotFramework.IsException": false, "Custom.SecuritySeverity": "Important", "Microsoft.VSTS.Common.Priority": 2, "Microsoft.VSTS.Common.Severity": "2 - High", "Microsoft.VSTS.Common.StateChangeDate": "2022-09-22T00:00:33.227Z", "Microsoft.VSTS.Common.ValueArea": "Business", "Microsoft.VSTS.TCM.ReproSteps": "Summary:
CodeQL detected the following issue: Client-side URL redirect (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19
File: /build/AnalyzeDeps/InterdependencyGraph.html
Location: Line 346, Column 16 - 19
Link: (Link to LGTM)

Recommendations:
Untrusted URL redirection due to user-provided value.\n
Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204
Requirement: CodeQL.SM01507 (Link to Liquid Requirement)
Confidence: high", "Microsoft.VSTS.TCM.SystemInfo": "This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)", "System.AreaId": 140243, "System.AreaLevel1": "SDK_v4", "System.AreaLevel2": "Code Analysis", "System.AreaPath": "SDK_v4\\Code Analysis", "System.AssignedTo": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk" } }, "descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "displayName": "Tracy Boehrer", "id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk", "uniqueName": "trboehre@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd" }, "System.AuthorizedAs": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.AuthorizedDate": "2022-09-22T00:00:33.227Z", "System.ChangedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.ChangedDate": "2022-09-22T00:00:33.227Z", "System.CommentCount": 1, "System.CreatedBy": { "_links": { "avatar": { "href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl" } }, "descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "displayName": "Bruce Haley", "id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e", "imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl", "uniqueName": "v-brucehaley@microsoft.com", "url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e" }, "System.CreatedDate": "2022-09-22T00:00:33.227Z", "System.Description": "Summary:
CodeQL detected the following issue: Client-side URL redirect (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19
File: /build/AnalyzeDeps/InterdependencyGraph.html
Location: Line 346, Column 16 - 19
Link: (Link to LGTM)

Recommendations:
Untrusted URL redirection due to user-provided value.\n
Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204
Requirement: CodeQL.SM01507 (Link to Liquid Requirement)
Confidence: high", "System.History": "Security Rating: Important
", "System.Id": 77283, "System.IterationId": 139042, "System.IterationLevel1": "SDK_v4", "System.IterationLevel2": "Sprint 1", "System.IterationPath": "SDK_v4\\Sprint 1", "System.NodeName": "Code Analysis", "System.PersonId": 48095448, "System.Reason": "New defect reported", "System.Rev": 1, "System.RevisedDate": "9999-01-01T00:00:00Z", "System.State": "New", "System.Tags": "CodeQL; external/cwe/cwe-079; external/cwe/cwe-116; external/cwe/cwe-601; sdl-recommended; sdl-required; security; ServiceOid 0ab2a10f-f0a6-40c7-8b24-f718d4c3cf88", "System.TeamProject": "SDK_v4", "System.Title": "CodeQL alert SM01507: Client-side URL redirect in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet", "System.Watermark": 324147, "System.WorkItemType": "Bug", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column": "New", "WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column.Done": false, "WEF_2AF1BD8A732542D29D4104AD064A9D25_System.ExtensionMarker": true }, "id": 77283, "relations": [ { "attributes": { "authorizedDate": "2022-09-22T00:00:33.227Z", "comment": "Liquid requirement link", "id": 6911019, "resourceCreatedDate": "2022-09-22T00:00:33.227Z", "resourceModifiedDate": "2022-09-22T00:00:33.227Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM01507" }, { "attributes": { "authorizedDate": "2022-09-22T00:00:33.227Z", "comment": "Issue in LGTM", "id": 6911018, "resourceCreatedDate": "2022-09-22T00:00:33.227Z", "resourceModifiedDate": "2022-09-22T00:00:33.227Z", "revisedDate": "9999-01-01T00:00:00Z" }, "rel": "Hyperlink", "url": "https://onees.lgtm.microsoft.com/issues/1011776/javascript/muXVprDc19olB3p7dbb2kDtHUuA=" } ], "rev": 1, "url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283" } ```

Work Item Comments (1)

| Created date | Created by | JSON URL | |---|---|---| | 2022-09-22T00:00:33.227Z | Bruce Haley | [URL](https://dev.azure.com/FuseLabs/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283/comments/5137152) | **Comment text**: Security Rating: Important
-----------

BruceHaley / botbuilder-dotnet

CodeQL alert SM01507: Client-side URL redirect in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet #3

Repro Steps

System Info