False positive: cs/web/unvalidated-url-redirection does not recognize sanitization using string interpolation or string.Format

[rpmrmartin]

Description of the false positive

Code using concatenation with a "?" on the left is recognized as sanitized, but the same code using string interpolation or string.Format instead of concatenation generates an alert.

Code samples or links to source code

Code with no alerts:

var userInput = Request.QueryString["Item"];
Response.Redirect("Home.aspx?Item=" + userInput);

Equivalent code that generates alerts:

var userInput = Request.QueryString["Item"];
Response.Redirect(string.Format("Home.aspx?Item={0}", userInput));

var userInput = Request.QueryString["Item"];
Response.Redirect($"Home.aspx?Item={userInput}");

URL to the alert on GitHub code scanning (optional)

Alert is in a private repository.

[michaelnebel]

Thank you for reporting this!
We will add some sanitization logic for string interpolation expressions and string.Format: #15394