FP: Blazor Identity Components S5146

los93sol · May 14, 2025, 7:38pm

Version 2025.1 (102418)

To reproduce the issue just create a new Blazor Web App project in VS, target .NET 9 and set the Authentication Type to Individual Accounts. Set it to Blazor server as well.

Now scan it and you’ll find that SonarQube complains about an open redirect (S5146) in IdentityRedirectManager.cs.

Yet if you look at the source generated…

        [DoesNotReturn]
        public void RedirectTo(string? uri)
        {
            uri ??= "";

            // Prevent open redirects.
            if (!Uri.IsWellFormedUriString(uri, UriKind.Relative))
            {
                uri = navigationManager.ToBaseRelativePath(uri);
            }

            // During static rendering, NavigateTo throws a NavigationException which is handled by the framework as a redirect.
            // So as long as this is called from a statically rendered Identity component, the InvalidOperationException is never thrown.
            navigationManager.NavigateTo(uri);
            throw new InvalidOperationException($"{nameof(IdentityRedirectManager)} can only be used during static rendering.");
        }

It is explicitly being checked for open redirects by changing any non-relative uri to a relative uri so this appears to be a false positive.

renaud.tognelli · May 23, 2025, 1:08pm

Hello Adam and welcome to our community!

Thanks a lot for reaching out to us, and pointing out this problem.

You are totally right, the issue should not be raised here.

I reproduced the error and we will improve our engine to better handle Uri.IsWellFormedUriString
and navigationManager.ToBaseRelativePath impact on user controlled values.

I’ve created an internal ticket to fix this, but I can’t give you a timeline.

Best,

Renaud

los93sol · May 29, 2025, 5:18pm

Thanks for confirming and opening the internal ticket. Please keep me posted as this progresses.

los93sol · June 10, 2025, 3:54pm

Have the improvements to this made it into a release yet? Would love to update and see my projects clean again.

Colin · June 11, 2025, 7:07am

The ticket is still open on our side.

los93sol · July 11, 2025, 5:09pm

Is there a GitHub issue for it that I can track the progress on?

Colin · July 16, 2025, 7:10am

Unfortunately it’s an internal ticket that isn’t visible to non-SonarSourcers – but in good news, it was closed 2 days ago so I would expect it to make it into v2025.4!

Topic		Replies	Views
Redirect is not working in custom plugin SonarQube Server / Community Build sonarqube	2	22	March 5, 2025
Reflected XSS/Open redirect not detected in React application Report False-positive / False-negative... javascript , sonarqube , react	5	1890	August 29, 2022
We re trying to integrate SSO for sonar with OpenID Connect which we are facing this error SonarQube Server / Community Build	2	793	November 28, 2023
Issues SAML Azure AD SonarQube SonarQube Server / Community Build sonarqube , azure , saml	4	718	August 12, 2022
EmailAlreadyExistsRedirectionException in the syslog SonarQube Server / Community Build authentication , saml	3	523	January 19, 2022

FP: Blazor Identity Components S5146

Related topics