FP: Blazor Identity Components S5146

Version 2025.1 (102418)

To reproduce the issue just create a new Blazor Web App project in VS, target .NET 9 and set the Authentication Type to Individual Accounts. Set it to Blazor server as well.

Now scan it and you’ll find that SonarQube complains about an open redirect (S5146) in IdentityRedirectManager.cs.

Yet if you look at the source generated…

        [DoesNotReturn]
        public void RedirectTo(string? uri)
        {
            uri ??= "";

            // Prevent open redirects.
            if (!Uri.IsWellFormedUriString(uri, UriKind.Relative))
            {
                uri = navigationManager.ToBaseRelativePath(uri);
            }

            // During static rendering, NavigateTo throws a NavigationException which is handled by the framework as a redirect.
            // So as long as this is called from a statically rendered Identity component, the InvalidOperationException is never thrown.
            navigationManager.NavigateTo(uri);
            throw new InvalidOperationException($"{nameof(IdentityRedirectManager)} can only be used during static rendering.");
        }

It is explicitly being checked for open redirects by changing any non-relative uri to a relative uri so this appears to be a false positive.

Hello Adam and welcome to our community!

Thanks a lot for reaching out to us, and pointing out this problem.

You are totally right, the issue should not be raised here.

I reproduced the error and we will improve our engine to better handle Uri.IsWellFormedUriString
and navigationManager.ToBaseRelativePath impact on user controlled values.

I’ve created an internal ticket to fix this, but I can’t give you a timeline.

Best,

Renaud

Thanks for confirming and opening the internal ticket. Please keep me posted as this progresses.

Have the improvements to this made it into a release yet? Would love to update and see my projects clean again.

The ticket is still open on our side.