Closed BruceHaley closed 2 years ago
| Created date | Created by | Changed date | Changed By | Assigned To | State | Type | Area Path | Iteration Path| |---|---|---|---|---|---|---|---|---| | 2022-09-22T00:00:33.227Z | Bruce Haley | 2022-09-22T00:00:33.227Z | Bruce Haley | Tracy Boehrer | New | Bug | SDK_v4\Code Analysis | SDK_v4\Sprint 1 |
```json
{
"commentVersionRef": {
"commentId": 5137152,
"url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283/comments/5137152/versions/1",
"version": 1
},
"fields": {
"BotFramework.IsException": false,
"Custom.SecuritySeverity": "Important",
"Microsoft.VSTS.Common.Priority": 2,
"Microsoft.VSTS.Common.Severity": "2 - High",
"Microsoft.VSTS.Common.StateChangeDate": "2022-09-22T00:00:33.227Z",
"Microsoft.VSTS.Common.ValueArea": "Business",
"Microsoft.VSTS.TCM.ReproSteps": "Summary:
CodeQL detected the following issue: Client-side URL redirect (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19
File: /build/AnalyzeDeps/InterdependencyGraph.html
Location: Line 346, Column 16 - 19
Link: (Link to LGTM)
Recommendations:
Untrusted URL redirection due to user-provided value.\n
Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204
Requirement: CodeQL.SM01507 (Link to Liquid Requirement)
Confidence: high",
"Microsoft.VSTS.TCM.SystemInfo": "This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)",
"System.AreaId": 140243,
"System.AreaLevel1": "SDK_v4",
"System.AreaLevel2": "Code Analysis",
"System.AreaPath": "SDK_v4\\Code Analysis",
"System.AssignedTo": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk"
}
},
"descriptor": "aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk",
"displayName": "Tracy Boehrer",
"id": "282aa7ce-f8a4-68bc-b336-ef0700020fcd",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MjgyYWE3Y2UtZjhhNC03OGJjLWIzMzYtZWYwNzAwMDIwZmNk",
"uniqueName": "trboehre@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/282aa7ce-f8a4-68bc-b336-ef0700020fcd"
},
"System.AuthorizedAs": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl"
}
},
"descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"displayName": "Bruce Haley",
"id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"uniqueName": "v-brucehaley@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e"
},
"System.AuthorizedDate": "2022-09-22T00:00:33.227Z",
"System.ChangedBy": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl"
}
},
"descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"displayName": "Bruce Haley",
"id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"uniqueName": "v-brucehaley@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e"
},
"System.ChangedDate": "2022-09-22T00:00:33.227Z",
"System.CommentCount": 1,
"System.CreatedBy": {
"_links": {
"avatar": {
"href": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl"
}
},
"descriptor": "aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"displayName": "Bruce Haley",
"id": "2a75aeb2-c077-6380-89fd-c598cbcdcc1e",
"imageUrl": "https://fuselabs.visualstudio.com/_apis/GraphProfile/MemberAvatars/aad.MmE3NWFlYjItYzA3Ny03MzgwLTg5ZmQtYzU5OGNiY2RjYzFl",
"uniqueName": "v-brucehaley@microsoft.com",
"url": "https://spsprodeus27.vssps.visualstudio.com/Af8bfd07b-8a79-40e8-afc6-1b1c57ec2a7b/_apis/Identities/2a75aeb2-c077-6380-89fd-c598cbcdcc1e"
},
"System.CreatedDate": "2022-09-22T00:00:33.227Z",
"System.Description": "Summary:
CodeQL detected the following issue: Client-side URL redirect (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/tree/main?&path=/build/AnalyzeDeps/InterdependencyGraph.html&line=346&lineStartColumn=16&lineEndColumn=19
File: /build/AnalyzeDeps/InterdependencyGraph.html
Location: Line 346, Column 16 - 19
Link: (Link to LGTM)
Recommendations:
Untrusted URL redirection due to user-provided value.\n
Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204
Requirement: CodeQL.SM01507 (Link to Liquid Requirement)
Confidence: high",
"System.History": "Security Rating: Important
",
"System.Id": 77283,
"System.IterationId": 139042,
"System.IterationLevel1": "SDK_v4",
"System.IterationLevel2": "Sprint 1",
"System.IterationPath": "SDK_v4\\Sprint 1",
"System.NodeName": "Code Analysis",
"System.PersonId": 48095448,
"System.Reason": "New defect reported",
"System.Rev": 1,
"System.RevisedDate": "9999-01-01T00:00:00Z",
"System.State": "New",
"System.Tags": "CodeQL; external/cwe/cwe-079; external/cwe/cwe-116; external/cwe/cwe-601; sdl-recommended; sdl-required; security; ServiceOid 0ab2a10f-f0a6-40c7-8b24-f718d4c3cf88",
"System.TeamProject": "SDK_v4",
"System.Title": "CodeQL alert SM01507: Client-side URL redirect in microsoft/microsoft/botbuilder-dotnet/botbuilder-dotnet",
"System.Watermark": 324147,
"System.WorkItemType": "Bug",
"WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column": "New",
"WEF_2AF1BD8A732542D29D4104AD064A9D25_Kanban.Column.Done": false,
"WEF_2AF1BD8A732542D29D4104AD064A9D25_System.ExtensionMarker": true
},
"id": 77283,
"relations": [
{
"attributes": {
"authorizedDate": "2022-09-22T00:00:33.227Z",
"comment": "Liquid requirement link",
"id": 6911019,
"resourceCreatedDate": "2022-09-22T00:00:33.227Z",
"resourceModifiedDate": "2022-09-22T00:00:33.227Z",
"revisedDate": "9999-01-01T00:00:00Z"
},
"rel": "Hyperlink",
"url": "https://liquid.microsoft.com/ref?_reqref=1480D06A-3EBB-45BA-BC81-D79569A7D2C1.rex:%2f%2fscanningtoolwarnings%2fRequirements%2fCodeQL.SM01507"
},
{
"attributes": {
"authorizedDate": "2022-09-22T00:00:33.227Z",
"comment": "Issue in LGTM",
"id": 6911018,
"resourceCreatedDate": "2022-09-22T00:00:33.227Z",
"resourceModifiedDate": "2022-09-22T00:00:33.227Z",
"revisedDate": "9999-01-01T00:00:00Z"
},
"rel": "Hyperlink",
"url": "https://onees.lgtm.microsoft.com/issues/1011776/javascript/muXVprDc19olB3p7dbb2kDtHUuA="
}
],
"rev": 1,
"url": "https://fuselabs.visualstudio.com/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283"
}
```
| Created date | Created by | JSON URL |
|---|---|---|
| 2022-09-22T00:00:33.227Z | Bruce Haley | [URL](https://dev.azure.com/FuseLabs/86659c66-c9df-418a-a371-7de7aed35064/_apis/wit/workItems/77283/comments/5137152) |
**Comment text**: Security Rating: Important
-----------
Repro Steps
Summary:
CodeQL detected the following issue: Client-side URL redirect (Help link)
Repository: https://github.com/microsoft/botbuilder-dotnet/blob/main/build/AnalyzeDeps/InterdependencyGraph.html#L346&lineStartColumn=16&lineEndColumn=19
File: /build/AnalyzeDeps/InterdependencyGraph.html
Location: Line 346, Column 16 - 19
Link: (Link to LGTM)
Recommendations:
Untrusted URL redirection due to user-provided value.
Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites.
Microsoft requirement(s): Microsoft.Security.SystemsADM.10201;Microsoft.Security.SystemsADM.10204
Requirement: CodeQL.SM01507 (Link to Liquid Requirement)
Confidence: high
System Info
This issue is a copy of this original ADO work item. This item was created with CodeQL automated bug filer from CodeQL static analysis tool (formerly known as Semmle).
For more information, see CodeQL @ Microsoft.To change onboarding settings, visit CodeQL Portal.
To suppress, add a comment in code (see more details here.)