SEC109 False Positive

[kyleherzog]

In VS2017 SEC0109 is being raised with the following example code, which pretty much mirrors what the documentation says to do to fix it.

        if (Url.IsLocalUrl(returnUrl))
        {
            return Redirect(returnUrl); //this line is flagged with SEC109
        }

[ejohn20]

Confirmed bug. Add the IsLocalUrl to the acceptable cleanse methods for SEC0109.

[ejohn20]

This will be addressed using a new code block analyzer for taint analysis within a block of code.

[serbentraut]

Same bug appears to apply to SEC110, which is a Web Forms redirect.

[ejohn20]

Perfect, we'll make sure both rules are fixable using the code suggestions. For now, you can suppress them by right clicking the warning and adding them to the suppression file.

[ejohn20]

In VS2017 SEC0109 is being raised with the following example code, which pretty much mirrors what the documentation says to do to fix it.

Confirmed this is fixed in 2.0 using the new code block analyzer. The method must be invoked on the tainted variable inside the same code block. The analyzers are not smart enough to traces this through multiple method calls.

Same bug appears to apply to SEC110, which is a Web Forms redirect.

The issues was also corrected by the code block analyzer. This code does not get flagged in the 2.0+ version of the analyzers:

Uri uri;
string url = Request.QueryString["returnUrl"];
if (Uri.TryCreate(url, UriKind.Relative, out uri))
{
      Response.Redirect(url);
}