Change this code to not perform client-side redirection based on user-controlled data

ayushcs · March 10, 2023, 6:04am

Hi,
I am getting Change this code to not perform client-side redirection based on user-controlled data. error in the below snippet although I have added the condition for specific urls but still. it is saying at top.location that “this invocation is not safe; a malicious value can be used as argument”

Can u please help me with this?

<script type="text/javascript">
      if (self === top) {
        // will remove the styling
        var antiClickjack = document.getElementById("antiClickjack");
        antiClickjack.parentNode.removeChild(antiClickjack);
      } else if (self.location.href.startsWith('https://dev.example.com/') || self.location.href.startsWith('https://qa.example.com/') || self.location.href.startsWith('https://abc.example.com/')) {
        // allow only example.com and https
        top.location = self.location.href;
      }
</script>

Loris_Sierra · March 15, 2023, 8:59am

Hello @ayushcs ,

Thanks for your feedback and welcome to our community!

I agree that this strongly looks like a false positive, you can add it as a false positive.
On my side, I am going to investigate why this is not detected as safe as soon as I can and come back to this thread with my conclusions.

Cheers !

Loris

Loris_Sierra · March 21, 2023, 8:42am

Hello @ayushcs,

Unfortunately, I can’t reproduce it with the sample you provided. Can you tell me what steps are displayed to you?

Here is an example of what I am interested to see, to understand what is going wrong with the analysis of your code. The steps I am looking for are the numbers on the code, and the flow explanation on the left.

(Do not hesitate to crop out sensitive information, if the code base is not meant to be shared)

Cheers,

Loris