Fortify Scan reports an 'Open Redirect' security vulnerability in
window.open(strUrl,"_blank", features)
My code:
var features = "status=no, toolbar=no, menubar=no, location=no, top=20, left=175, height=500, width=750";
var strURL = ADMIN_TOOL_SNOOP + "?machineName=" + strMachine + "&template=snoop" +"&context=DEBUG&date=" + strDate.replace(regExp, "");
var validateStrURL = new RegExp("/^[.\\p{Alnum}\\p{Space}]{0,1024}+/", "g");
if(validateStrURL.test(strURL))
{
if((strURL != null)&&(strURL.length !=0)&&(strURL.length <= 200) )
{
window.open(strURL,"_blank",features);
}
}
How do I fix it?
When detecting issues, HP Fortify is performing static code analysis based on a number of rules. In the case of "Open Redirect" issues, it is detecting that you are redirecting to a URL that is made up of data passed to or created in your JavaScript. This is generally considered to be open to manipulation by phishing and other attacks.
Instead of defining ADMIN_TOOL_SNOOP on the client-side and using it to build the URL in JavaScript, try having a set of pre-determined destinations defined on the server-side using a redirect page, and then have your JavaScript pass the destination page as a parameter.
For example, in your client side code have
window.open('redirect.php?destination=ADMIN_TOOL&template=...')
Then, in your server side code, you would have a table similar to
DESTINATION_CODE | ACTUAL_URL
--------------------------------------
ADMIN_TOOL | my_actual_page.php
ANOTHER_CODE | another_page.php
When the server receives a redirect request, it should look up the matching code and redirect the page to the actual URL. In the case of a non-matching code, an error, or no redirection should occur.
In summary, you are creating a white list of allowed URLs that is controlled on the server side instead of the client side, meaning it is not open to client-side manipulation.