rspec/rules/S5693/csharp/rule.adoc

include::../description.adoc[]

include::../ask-yourself.adoc[]

include::../recommended.adoc[]

== Sensitive Code Example

----
using Microsoft.AspNetCore.Mvc;

public class MyController : Controller
{
    [HttpPost]
    [DisableRequestSizeLimit] // Sensitive: No size  limit
    [RequestSizeLimit(10000000)] // Sensitive: 10MB is more than the recommended limit of 8MB
    public IActionResult PostRequest(Model model) 
    {
    // ...
    }

    [HttpPost]
    [RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Sensitive: 10MB is more than the recommended limit of 8MB
    public IActionResult MultipartFormRequest(Model model)
    {
    // ...
    }
}
----

In Web.config:

----
<configuration>
    <system.web>
        <httpRuntime maxRequestLength="81920" executionTimeout="3600" />
        <!-- Sensitive: maxRequestLength is exprimed in KB, so 81920KB = 80MB  -->
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="83886080" />
                <!-- Sensitive: maxAllowedContentLength is exprimed in bytes, so 83886080B = 80MB  -->
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>
----

== Compliant Solution

[source,csharp]
----
using Microsoft.AspNetCore.Mvc;

public class MyController : Controller
{
    [HttpPost]
    [RequestSizeLimit(8000000)] // Compliant: 8MB
    public IActionResult PostRequest(Model model)
    {
    // ...
    }

    [HttpPost]
    [RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Compliant: 8MB
    public IActionResult MultipartFormRequest(Model model)
    {
    // ...
    }
}
----

In Web.config:

[source,csharp]
----
<configuration>
    <system.web>
        <httpRuntime maxRequestLength="8192" executionTimeout="3600" />
        <!-- Compliant: maxRequestLength is exprimed in KB, so 8192KB = 8MB  -->
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="8388608" />
                <!-- Comliant: maxAllowedContentLength is exprimed in bytes, so 8388608B = 8MB  -->
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>
----

include::../see.adoc[]

* https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/web-config[Web.config] - XML-formatted config file for IIS applications

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

=== Parameters

.fileUploadSizeLimit
****
_integer_

----
8000000
----

The maximum size of HTTP requests handling file uploads (in bytes)
****


'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
Nightly update 2021-01-22 04:06:24 +00:00			`include::../description.adoc[]`

			`include::../ask-yourself.adoc[]`

			`include::../recommended.adoc[]`

			`== Sensitive Code Example`

			`----`
			`using Microsoft.AspNetCore.Mvc;`

			`public class MyController : Controller`
			`{`
			`[HttpPost]`
			`[DisableRequestSizeLimit] // Sensitive: No size limit`
update 2021-02-12 16:35:24 +01:00			`[RequestSizeLimit(10000000)] // Sensitive: 10MB is more than the recommended limit of 8MB`
Nightly update 2021-01-23 04:07:47 +00:00			`public IActionResult PostRequest(Model model)`
			`{`
Nightly update 2021-01-22 04:06:24 +00:00			`// ...`
			`}`

			`[HttpPost]`
			`[RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Sensitive: 10MB is more than the recommended limit of 8MB`
			`public IActionResult MultipartFormRequest(Model model)`
			`{`
			`// ...`
			`}`
			`}`
			`----`

Modify rule S5693: Move web.config links to see part of the document (#140) 2021-06-21 12:01:33 +02:00			`In Web.config:`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00
			`----`
			`<configuration>`
			`<system.web>`
			`<httpRuntime maxRequestLength="81920" executionTimeout="3600" />`
			`<!-- Sensitive: maxRequestLength is exprimed in KB, so 81920KB = 80MB -->`
			`</system.web>`
			`<system.webServer>`
			`<security>`
			`<requestFiltering>`
			`<requestLimits maxAllowedContentLength="83886080" />`
			`<!-- Sensitive: maxAllowedContentLength is exprimed in bytes, so 83886080B = 80MB -->`
			`</requestFiltering>`
			`</security>`
			`</system.webServer>`
			`</configuration>`
			`----`

Nightly update 2021-01-22 04:06:24 +00:00			`== Compliant Solution`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Nightly update 2021-01-22 04:06:24 +00:00			`----`
			`using Microsoft.AspNetCore.Mvc;`

			`public class MyController : Controller`
			`{`
			`[HttpPost]`
update 2021-02-12 16:35:24 +01:00			`[RequestSizeLimit(8000000)] // Compliant: 8MB`
Nightly update 2021-01-22 04:06:24 +00:00			`public IActionResult PostRequest(Model model)`
			`{`
			`// ...`
			`}`

			`[HttpPost]`
			`[RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Compliant: 8MB`
			`public IActionResult MultipartFormRequest(Model model)`
			`{`
			`// ...`
			`}`
			`}`
			`----`

Modify rule S5693: Move web.config links to see part of the document (#140) 2021-06-21 12:01:33 +02:00			`In Web.config:`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,csharp]`
Update rules after the fix in the export module 2021-04-26 17:29:13 +02:00			`----`
			`<configuration>`
			`<system.web>`
			`<httpRuntime maxRequestLength="8192" executionTimeout="3600" />`
			`<!-- Compliant: maxRequestLength is exprimed in KB, so 8192KB = 8MB -->`
			`</system.web>`
			`<system.webServer>`
			`<security>`
			`<requestFiltering>`
			`<requestLimits maxAllowedContentLength="8388608" />`
			`<!-- Comliant: maxAllowedContentLength is exprimed in bytes, so 8388608B = 8MB -->`
			`</requestFiltering>`
			`</security>`
			`</system.webServer>`
			`</configuration>`
			`----`

Nightly update 2021-01-22 04:06:24 +00:00			`include::../see.adoc[]`
Modify rule S5693: add space before link (#141) 2021-06-21 13:30:34 +02:00
Modify rule S5693: Move web.config links to see part of the document (#140) 2021-06-21 12:01:33 +02:00			`* https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/web-config[Web.config] - XML-formatted config file for IIS applications`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Parameters`

			`.fileUploadSizeLimit`
			`****`
			`_integer_`

			`----`
			`8000000`
			`----`

			`The maximum size of HTTP requests handling file uploads (in bytes)`
			`****`

RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`