var formName = AssertFormName(context.Request.Params["FormName"]);
...
private string AssertFormName(string formName)
{
if (string.IsNullOrEmpty(formName))
{
throw new BadRequestException("Form name is empty");
}
//TODO leave here till SQ fix
return formName.Replace('\n', '_').Replace('\r', '_').Replace('\t', '_');
}
the issue will not be reported, if we change it to extention
Thank you for the screenshot it helped me finding out what rule you were referring to (S5145).
So what is happening here is that in the RemoveDangerousCharacters(string) in case the string is null or empty you return the same value while in the AssertFormName(string) method it throws an exception. In the RemoveDangerousCharacters(string) our engine interprets it as a potentially unsanitized value. We are planning on improving the engine so it does not make this mistake in the future. Unfortunately I can not give you an ETA for when this support will be implemented.
As a workaround you should be able to return a null or empty string in the case it is null or empty and that should help you in fixing the false positive.