2021-01-22 04:06:24 +00:00
|
|
|
include::../description.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
|
|
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
|
|
|
|
|
|
== Sensitive Code Example
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
|
|
|
|
|
|
public class MyController : Controller
|
|
|
|
|
{
|
|
|
|
|
[HttpPost]
|
|
|
|
|
[DisableRequestSizeLimit] // Sensitive: No size limit
|
2021-02-12 16:35:24 +01:00
|
|
|
[RequestSizeLimit(10000000)] // Sensitive: 10MB is more than the recommended limit of 8MB
|
2021-01-23 04:07:47 +00:00
|
|
|
public IActionResult PostRequest(Model model)
|
|
|
|
|
{
|
2021-01-22 04:06:24 +00:00
|
|
|
// ...
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[HttpPost]
|
|
|
|
|
[RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Sensitive: 10MB is more than the recommended limit of 8MB
|
|
|
|
|
public IActionResult MultipartFormRequest(Model model)
|
|
|
|
|
{
|
|
|
|
|
// ...
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2021-04-26 17:29:13 +02:00
|
|
|
In https://docs.microsoft.com/en-us/troubleshoot/aspnet/create-web-config[Web.config]:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
<configuration>
|
|
|
|
|
<system.web>
|
|
|
|
|
<httpRuntime maxRequestLength="81920" executionTimeout="3600" />
|
|
|
|
|
<!-- Sensitive: maxRequestLength is exprimed in KB, so 81920KB = 80MB -->
|
|
|
|
|
</system.web>
|
|
|
|
|
<system.webServer>
|
|
|
|
|
<security>
|
|
|
|
|
<requestFiltering>
|
|
|
|
|
<requestLimits maxAllowedContentLength="83886080" />
|
|
|
|
|
<!-- Sensitive: maxAllowedContentLength is exprimed in bytes, so 83886080B = 80MB -->
|
|
|
|
|
</requestFiltering>
|
|
|
|
|
</security>
|
|
|
|
|
</system.webServer>
|
|
|
|
|
</configuration>
|
|
|
|
|
----
|
|
|
|
|
|
2021-01-22 04:06:24 +00:00
|
|
|
== Compliant Solution
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
|
|
|
|
|
|
public class MyController : Controller
|
|
|
|
|
{
|
|
|
|
|
[HttpPost]
|
2021-02-12 16:35:24 +01:00
|
|
|
[RequestSizeLimit(8000000)] // Compliant: 8MB
|
2021-01-22 04:06:24 +00:00
|
|
|
public IActionResult PostRequest(Model model)
|
|
|
|
|
{
|
|
|
|
|
// ...
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
[HttpPost]
|
|
|
|
|
[RequestFormLimits(MultipartBodyLengthLimit = 8000000)] // Compliant: 8MB
|
|
|
|
|
public IActionResult MultipartFormRequest(Model model)
|
|
|
|
|
{
|
|
|
|
|
// ...
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
----
|
|
|
|
|
|
2021-04-26 17:29:13 +02:00
|
|
|
In https://docs.microsoft.com/en-us/troubleshoot/aspnet/create-web-config[Web.config]:
|
|
|
|
|
|
|
|
|
|
----
|
|
|
|
|
<configuration>
|
|
|
|
|
<system.web>
|
|
|
|
|
<httpRuntime maxRequestLength="8192" executionTimeout="3600" />
|
|
|
|
|
<!-- Compliant: maxRequestLength is exprimed in KB, so 8192KB = 8MB -->
|
|
|
|
|
</system.web>
|
|
|
|
|
<system.webServer>
|
|
|
|
|
<security>
|
|
|
|
|
<requestFiltering>
|
|
|
|
|
<requestLimits maxAllowedContentLength="8388608" />
|
|
|
|
|
<!-- Comliant: maxAllowedContentLength is exprimed in bytes, so 8388608B = 8MB -->
|
|
|
|
|
</requestFiltering>
|
|
|
|
|
</security>
|
|
|
|
|
</system.webServer>
|
|
|
|
|
</configuration>
|
|
|
|
|
----
|
|
|
|
|
|
2021-01-22 04:06:24 +00:00
|
|
|
include::../see.adoc[]
|
