FP: Blazor Identity Components S5146

Version 2025.1 (102418)

To reproduce the issue just create a new Blazor Web App project in VS, target .NET 9 and set the Authentication Type to Individual Accounts. Set it to Blazor server as well.

Now scan it and you’ll find that SonarQube complains about an open redirect (S5146) in IdentityRedirectManager.cs.

Yet if you look at the source generated…

        [DoesNotReturn]
        public void RedirectTo(string? uri)
        {
            uri ??= "";

            // Prevent open redirects.
            if (!Uri.IsWellFormedUriString(uri, UriKind.Relative))
            {
                uri = navigationManager.ToBaseRelativePath(uri);
            }

            // During static rendering, NavigateTo throws a NavigationException which is handled by the framework as a redirect.
            // So as long as this is called from a statically rendered Identity component, the InvalidOperationException is never thrown.
            navigationManager.NavigateTo(uri);
            throw new InvalidOperationException($"{nameof(IdentityRedirectManager)} can only be used during static rendering.");
        }

It is explicitly being checked for open redirects by changing any non-relative uri to a relative uri so this appears to be a false positive.

Hello Adam and welcome to our community! :slight_smile:

Thanks a lot for reaching out to us, and pointing out this problem.

You are totally right, the issue should not be raised here.

I reproduced the error and we will improve our engine to better handle Uri.IsWellFormedUriString
and navigationManager.ToBaseRelativePath impact on user controlled values.

I’ve created an internal ticket to fix this, but I can’t give you a timeline.

Best,

Renaud

1 Like

Thanks for confirming and opening the internal ticket. Please keep me posted as this progresses.

Have the improvements to this made it into a release yet? Would love to update and see my projects clean again.

The ticket is still open on our side.

Is there a GitHub issue for it that I can track the progress on?

Unfortunately it’s an internal ticket that isn’t visible to non-SonarSourcers – but in good news, it was closed 2 days ago so I would expect it to make it into v2025.4!