I have below code in service.ts file and VeraCode code scan fails

Flaws by CWE ID: URL Redirection to Untrusted Site ('Open Redirect') (CWE ID 601)(16 flaws) Description A web application accepts a untrusted input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.

Please help me to fix this

Service.ts:

public exportReviews(searchReviewData: SurveillanceReviewSearchViewModel): Observable<SurveillanceReviewSearchViewModel> {
    this._urlSurveillanceDetails = this.baseHref +"/ReviewProfile/ExportReviews";
    const headers: HttpHeaders = new HttpHeaders();
    headers.append('Content-Type', 'application/json');
    return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, searchReviewData, { headers: headers }); // flaw identified on this line
  }

public getReviewsBySearchSessionId(searchsessionId): Observable<SurveillanceReviewSearchViewModel> {
    this._urlSurveillanceDetails = this.baseHref + "/ReviewProfile/SearchReviewsBySessionId" + '?searchsessionId=' + searchsessionId;
    var headers = new HttpHeaders();
    headers.append('Content-Type', 'application/json');
    this._urlSurveillanceDetails = this.sanitizer.sanitize(SecurityContext.RESOURCE_URL, this.sanitizer.bypassSecurityTrustResourceUrl(this._urlSurveillanceDetails));
    return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, headers); // flaw identified on this line
  }

I have below code in service.ts file and VeraCode code scan fails

Flaws by CWE ID: URL Redirection to Untrusted Site ('Open Redirect') (CWE ID 601)(16 flaws) Description A web application accepts a untrusted input that specifies a link to an external site, and uses that link to generate a redirect. This enables phishing attacks.

Please help me to fix this

Service.ts:

public exportReviews(searchReviewData: SurveillanceReviewSearchViewModel): Observable<SurveillanceReviewSearchViewModel> {
    this._urlSurveillanceDetails = this.baseHref +"/ReviewProfile/ExportReviews";
    const headers: HttpHeaders = new HttpHeaders();
    headers.append('Content-Type', 'application/json');
    return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, searchReviewData, { headers: headers }); // flaw identified on this line
  }

public getReviewsBySearchSessionId(searchsessionId): Observable<SurveillanceReviewSearchViewModel> {
    this._urlSurveillanceDetails = this.baseHref + "/ReviewProfile/SearchReviewsBySessionId" + '?searchsessionId=' + searchsessionId;
    var headers = new HttpHeaders();
    headers.append('Content-Type', 'application/json');
    this._urlSurveillanceDetails = this.sanitizer.sanitize(SecurityContext.RESOURCE_URL, this.sanitizer.bypassSecurityTrustResourceUrl(this._urlSurveillanceDetails));
    return this.http.post<SurveillanceReviewSearchViewModel>(this._urlSurveillanceDetails, headers); // flaw identified on this line
  }

• javascript
• jquery
• angularjs
• angular
• security

• Ensure you sanitize the data in searchReviewData before passing it along. – Batman Commented Oct 24, 2020 at 8:31
• @RichardBarker - i tried sanitize in "getReviewsBySearchSessionId" funtion but still im getting same issue in next line.I updated the code in question section. – KARTHIKEYAN DEIVASENAKANTHAN Commented Oct 24, 2020 at 9:59

2 Answers 2

This is a false positive. The request url is not built from untrusted user input or user input in general. Static code analysis is not perfect and you'll experience false positives all over the place.

You can use encodeURI() method to encode the parameters which are getting detected under CWE-601, it could be false positive as others have mentioned, but encodeURI() wraps the parameters so that Veracode doesn't detect it as a security flaw.