Web:S5148 could be extended to allow some dynamic URLs

m-gallesio · May 26, 2023, 2:35pm

Language
HTML / Razor (CSHTML)
Rule
Web:S5148 (Authorizing an opened window to access back to the originating window is security-sensitive)
Environment
SonarQube: Community Edition Version 10.0 (build 68432)

The rule suggests using rel="noopener" for links targeting _blank unless using hardcoded relative urls.

I am wondering whether the following dynamic cases would make sense to be allowed:

Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):
```
<a href="#/${someDynamicParameter}" target="_blank">Link text</a>
```
Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):
```
<a href="~/@SomeHelper.BuildUrl("someDynamicParameter")" target="_blank">Link text</a>
```

Please note I am not aware of this change’s deep security implications, so this suggestion should be reviewed by security experts.

egon.okerman · May 30, 2023, 5:07pm

Hello @m-gallesio!

Thank you for the suggestions for rule S5148. Let me give you an answer per case:

Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):

We already try to exclude relative URLs from S5148 (for example, hrefs that start with a /.) But it looks like URLs starting with # were not considered yet. I’ve created a ticket internally so we can fix this.

Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):

I created an internal ticket so we can research this suggestion. For now, rule S5148 does not have framework-specific exclusions. I think it should be feasible to add this as an exclusion to .cshtml files specifically.

gman-wa · July 6, 2023, 4:22pm

Actually this whole noopener thing should go away.

Setting target="_blank" on <a> elements now implicitly provides the same rel behavior as setting rel="noopener" which does not set window.opener .

m-gallesio · July 6, 2023, 7:32pm

That “now” implies a relatively recent (2019 / 2020 / 2021) time period.
Evergreen browsers are of course covered, but the ability to fully skip noopener depends on what browsers developers need to support (see compatibility table on Can I Use).
It might be sensible to remove this rule from the standard Sonar profile, however.