Module ClientSideUrlRedirect

Contains a class with flow states that are used by multiple queries.

Holds if node extracts a part of a URL that does not contain the suffix.

Holds if substring refers to a substring of base which is considered untrusted when base is the current URL.

A write to a href or similar attribute viewed as a ScriptUrlSink.

A write of an attribute which may execute JavaScript code or exfiltrate data to an attacker controlled site.

The first argument to a call to openExternal seen as a sink for unvalidated URL redirection. Improper use of openExternal can be leveraged to compromise the user’s host. When openExternal is used with untrusted content, it can be leveraged to execute arbitrary commands.

A write to the location using the history library

An argument to importScripts(..) - which is used inside WebWorkers to import new scripts - viewed as a ScriptUrlSink.

A sink which is used to set the window location.

A call to change the current url with a Next.js router.

A write to an React attribute which may execute JavaScript code.

DEPRECATED: Use ActiveThreatModelSource from Concepts instead!

A sanitizer for unvalidated URL redirect vulnerabilities.

An expression that may be interpreted as the URL of a script.

A data flow sink for unvalidated URL redirect vulnerabilities.

A data flow source for unvalidated URL redirect vulnerabilities.

An argument expression to new Worker(...), viewed as a ScriptUrlSink.

DEPRECATED. Replaced by functionality from the TaintedUrlSuffix library.