fix(charts): block unsafe urls in chart click-to-navigate handlers (microsoft#35857)

Author: mainframev

change/@fluentui-react-charting-3a1e68bb-2e6a-4a45-b4cf-cf16323fbb26.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "fix(charts): block unsafe urls in chart click-to-navigate handlers",
+  "packageName": "@fluentui/react-charting",
+  "email": "vgenaev@gmail.com",
+  "dependentChangeType": "patch"
+}

change/@fluentui-react-charts-202dd3bd-ebc4-49dc-9d84-f7a781e9fa6d.json

@@ -0,0 +1,7 @@
+{
+  "type": "patch",
+  "comment": "fix(charts): block unsafe urls in chart click-to-navigate handlers",
+  "packageName": "@fluentui/react-charts",
+  "email": "vgenaev@gmail.com",
+  "dependentChangeType": "patch"
+}

packages/charts/react-charting/src/components/DonutChart/Arc/Arc.tsx

@@ -5,7 +5,7 @@ import { getStyles } from './Arc.styles';
 import { IChartDataPoint } from '../index';
 import { IArcProps, IArcStyleProps, IArcStyles } from './index';
 import { format as d3Format } from 'd3-format';
-import { formatScientificLimitWidth } from '../../../utilities/index';
+import { formatScientificLimitWidth, isSafeUrl } from '../../../utilities/index';
 import type { JSXElement } from '@fluentui/utilities';
 
 export interface IArcState {
@@ -118,7 +118,9 @@ export class Arc extends React.Component<IArcProps, IArcState> {
   };
 
   private _redirectToUrl(href: string | undefined): void {
-    href ? (window.location.href = href) : '';
+    if (href && isSafeUrl(href)) {
+      window.location.href = href;
+    }
   }
 
   private _getAriaLabel = (): string => {

packages/charts/react-charting/src/components/GroupedVerticalBarChart/GroupedVerticalBarChart.base.tsx

@@ -38,6 +38,7 @@ import {
   calcTotalBandUnits,
   calcRequiredWidth,
   getColorFromToken,
+  isSafeUrl,
 } from '../../utilities/index';
 import {
   IAccessibilityProps,
@@ -420,7 +421,9 @@ export class GroupedVerticalBarChartBase
   };
 
   private _redirectToUrl = (href: string | undefined): void => {
-    href ? (window.location.href = href) : '';
+    if (href && isSafeUrl(href)) {
+      window.location.href = href;
+    }
   };
 
   private _buildGraph = (

packages/charts/react-charting/src/components/StackedBarChart/MultiStackedBarChart.base.tsx

@@ -19,6 +19,7 @@ import {
   formatScientificLimitWidth,
   getAccessibleDataObject,
   getNextGradient,
+  isSafeUrl,
 } from '../../utilities/index';
 import { FocusableTooltipText } from '../../utilities/FocusableTooltipText';
 import type { JSXElement } from '@fluentui/utilities';
@@ -629,7 +630,9 @@ export class MultiStackedBarChartBase extends React.Component<IMultiStackedBarCh
   };
 
   private _redirectToUrl(href: string | undefined): void {
-    href ? (window.location.href = href) : '';
+    if (href && isSafeUrl(href)) {
+      window.location.href = href;
+    }
   }
 
   private _closeCallout = () => {

packages/charts/react-charting/src/components/StackedBarChart/StackedBarChart.base.tsx

@@ -6,7 +6,7 @@ import { IAccessibilityProps, IChartDataPoint, IChartProps } from './index';
 import { IRefArrayData, IStackedBarChartProps, IStackedBarChartStyleProps, IStackedBarChartStyles } from '../../index';
 import { Callout, DirectionalHint } from '@fluentui/react/lib/Callout';
 import { FocusZone, FocusZoneDirection } from '@fluentui/react-focus';
-import { ChartHoverCard, getAccessibleDataObject, getNextGradient } from '../../utilities/index';
+import { ChartHoverCard, getAccessibleDataObject, getNextGradient, isSafeUrl } from '../../utilities/index';
 import { FocusableTooltipText } from '../../utilities/FocusableTooltipText';
 import { formatToLocaleString } from '@fluentui/chart-utilities';
 import type { JSXElement } from '@fluentui/utilities';
@@ -508,7 +508,9 @@ export class StackedBarChartBase extends React.Component<IStackedBarChartProps,
   };
 
   private _redirectToUrl(href: string | undefined): void {
-    href ? (window.location.href = href) : '';
+    if (href && isSafeUrl(href)) {
+      window.location.href = href;
+    }
   }
 
   private _closeCallout = () => {

packages/charts/react-charting/src/components/VerticalStackedBarChart/VerticalStackedBarChart.base.tsx

@@ -64,6 +64,7 @@ import {
   calcTotalWidth,
   calcBandwidth,
   calcRequiredWidth,
+  isSafeUrl,
 } from '../../utilities/index';
 import { IChart, IImageExportOptions } from '../../types/index';
 import { exportChartsAsImage } from '../../utilities/image-export-utils';
@@ -887,7 +888,9 @@ export class VerticalStackedBarChartBase
     mouseEvent: React.MouseEvent<SVGElement>,
   ): void {
     this.props.onBarClick?.(mouseEvent, data);
-    this.props.href ? (window.location.href = this.props.href) : '';
+    if (this.props.href && isSafeUrl(this.props.href)) {
+      window.location.href = this.props.href;
+    }
   }
 
   private _getBarGapAndScale(

packages/charts/react-charting/src/utilities/UtilityUnitTests.test.ts

@@ -1513,3 +1513,70 @@ describe('generateMonthlyTicks', () => {
     expect(ticks.map(d => formatLocalDate(d))).toEqual(['2020-01-01', '2020-03-01', '2020-05-01', '2020-07-01']);
   });
 });
+
+describe('isSafeUrl', () => {
+  test('Should allow http URL', () => {
+    expect(utils.isSafeUrl('http://example.com')).toBe(true);
+  });
+
+  test('Should allow https URL', () => {
+    expect(utils.isSafeUrl('https://example.com')).toBe(true);
+  });
+
+  test('Should allow https URL with path, query, and fragment', () => {
+    expect(utils.isSafeUrl('https://example.com/path?q=1#section')).toBe(true);
+  });
+
+  test('Should allow relative path', () => {
+    expect(utils.isSafeUrl('/dashboard')).toBe(true);
+  });
+
+  test('Should allow relative path without leading slash', () => {
+    expect(utils.isSafeUrl('dashboard/overview')).toBe(true);
+  });
+
+  test('Should allow fragment-only URL', () => {
+    expect(utils.isSafeUrl('#section')).toBe(true);
+  });
+
+  test('Should allow query-only URL', () => {
+    expect(utils.isSafeUrl('?page=2')).toBe(true);
+  });
+
+  test('Should allow empty string', () => {
+    expect(utils.isSafeUrl('')).toBe(true);
+  });
+
+  test('Should block javascript: protocol', () => {
+    // eslint-disable-next-line no-script-url
+    expect(utils.isSafeUrl('javascript:alert(1)')).toBe(false);
+  });
+
+  test('Should block data: protocol', () => {
+    expect(utils.isSafeUrl('data:text/html,<script>alert(1)</script>')).toBe(false);
+  });
+
+  test('Should block vbscript: protocol', () => {
+    expect(utils.isSafeUrl('vbscript:msgbox("xss")')).toBe(false);
+  });
+
+  test('Should block file: protocol', () => {
+    expect(utils.isSafeUrl('file:///etc/passwd')).toBe(false);
+  });
+
+  test('Should block ftp: protocol', () => {
+    expect(utils.isSafeUrl('ftp://example.com/file')).toBe(false);
+  });
+
+  test('Should block custom: protocol', () => {
+    expect(utils.isSafeUrl('custom:payload')).toBe(false);
+  });
+
+  test('Should allow a path that contains a colon but is not a scheme', () => {
+    expect(utils.isSafeUrl('/path/to:resource')).toBe(true);
+  });
+
+  test('Should allow a path starting with a digit before colon', () => {
+    expect(utils.isSafeUrl('123:not-a-scheme')).toBe(true);
+  });
+});

packages/charts/react-charting/src/utilities/utilities.ts

@@ -2554,3 +2554,11 @@ const truncateTextToFitWidth = (text: string, maxWidth: number, measure: (s: str
 
   return text.slice(0, lo) + '...';
 };
+
+export function isSafeUrl(href: string): boolean {
+  if (/^[a-z][a-z0-9+.-]*:/i.test(href)) {
+    return /^https?:/i.test(href);
+  }
+
+  return true;
+}

packages/charts/react-charts/library/src/components/VerticalStackedBarChart/VerticalStackedBarChart.tsx

@@ -59,6 +59,7 @@ import {
   calcBandwidth,
   calcRequiredWidth,
   sortAxisCategories,
+  isSafeUrl,
 } from '../../utilities/index';
 import { formatDateToLocaleString, isInvalidValue } from '@fluentui/chart-utilities';
 import { useImageExport } from '../../utilities/hooks';
@@ -309,7 +310,9 @@ export const VerticalStackedBarChart: React.FunctionComponent<VerticalStackedBar
     mouseEvent: React.MouseEvent<SVGElement>,
   ): void => {
     props.onBarClick?.(mouseEvent, data);
-    props.href ? (window.location.href = props.href) : '';
+    if (props.href && isSafeUrl(props.href)) {
+      window.location.href = props.href;
+    }
   };
 
   function _adjustProps(): void {