Web:S5148 could be extended to allow some dynamic URLs

  • Language
    HTML / Razor (CSHTML)
  • Rule
    Web:S5148 (Authorizing an opened window to access back to the originating window is security-sensitive)
  • Environment
    SonarQube: Community Edition Version 10.0 (build 68432)

The rule suggests using rel="noopener" for links targeting _blank unless using hardcoded relative urls.

I am wondering whether the following dynamic cases would make sense to be allowed:

  • Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):
    <a href="#/${someDynamicParameter}" target="_blank">Link text</a>
    
  • Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):
    <a href="~/@SomeHelper.BuildUrl("someDynamicParameter")" target="_blank">Link text</a>
    

Please note I am not aware of this change’s deep security implications, so this suggestion should be reviewed by security experts.

Hello @m-gallesio!

Thank you for the suggestions for rule S5148. Let me give you an answer per case:

Same-page URLs (starting with #), including for Single-Page Applications (we use Aurelia 1):

We already try to exclude relative URLs from S5148 (for example, hrefs that start with a /.) But it looks like URLs starting with # were not considered yet. I’ve created a ticket internally so we can fix this.

Automatically expanded placeholders (we use ASP.NET Core / Razor, which uses a tag helper to expand an initial ~ to the application’s root):

I created an internal ticket so we can research this suggestion. For now, rule S5148 does not have framework-specific exclusions. I think it should be feasible to add this as an exclusion to .cshtml files specifically.