129 lines
2.9 KiB
Plaintext
129 lines
2.9 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
include::../ask-yourself.adoc[]
|
|
|
|
include::../recommended.adoc[]
|
|
|
|
== Sensitive Code Example
|
|
|
|
[source,csharp]
|
|
----
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
public class MyController : Controller
|
|
{
|
|
[HttpPost]
|
|
[DisableRequestSizeLimit] // Sensitive: No size limit
|
|
[RequestSizeLimit(10485760)] // Sensitive: 10485760 B = 10240 KB = 10 MB is more than the recommended limit of 8MB
|
|
public IActionResult PostRequest(Model model)
|
|
{
|
|
// ...
|
|
}
|
|
|
|
[HttpPost]
|
|
[RequestFormLimits(MultipartBodyLengthLimit = 10485760)] // Sensitive: 10485760 B = 10240 KB = 10 MB is more than the recommended limit of 8MB
|
|
public IActionResult MultipartFormRequest(Model model)
|
|
{
|
|
// ...
|
|
}
|
|
}
|
|
----
|
|
|
|
In Web.config:
|
|
|
|
[source,xml]
|
|
----
|
|
<configuration>
|
|
<system.web>
|
|
<httpRuntime maxRequestLength="81920" executionTimeout="3600" />
|
|
<!-- Sensitive: maxRequestLength is expressed in KB, so 81920 KB = 80 MB -->
|
|
</system.web>
|
|
<system.webServer>
|
|
<security>
|
|
<requestFiltering>
|
|
<requestLimits maxAllowedContentLength="83886080" />
|
|
<!-- Sensitive: maxAllowedContentLength is expressed in bytes, so 83886080 B = 81920 KB = 80 MB -->
|
|
</requestFiltering>
|
|
</security>
|
|
</system.webServer>
|
|
</configuration>
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
[source,csharp]
|
|
----
|
|
using Microsoft.AspNetCore.Mvc;
|
|
|
|
public class MyController : Controller
|
|
{
|
|
[HttpPost]
|
|
[RequestSizeLimit(8388608)] // Compliant: 8388608 B = 8192 KB = 8 MB
|
|
public IActionResult PostRequest(Model model)
|
|
{
|
|
// ...
|
|
}
|
|
|
|
[HttpPost]
|
|
[RequestFormLimits(MultipartBodyLengthLimit = 8388608)] // Compliant: 8388608 B = 8192 KB = 8 MB
|
|
public IActionResult MultipartFormRequest(Model model)
|
|
{
|
|
// ...
|
|
}
|
|
}
|
|
----
|
|
|
|
In Web.config:
|
|
|
|
[source,xml]
|
|
----
|
|
<configuration>
|
|
<system.web>
|
|
<httpRuntime maxRequestLength="8192" executionTimeout="3600" />
|
|
<!-- Compliant: maxRequestLength is expressed in KB, so 8192 KB = 8 MB -->
|
|
</system.web>
|
|
<system.webServer>
|
|
<security>
|
|
<requestFiltering>
|
|
<requestLimits maxAllowedContentLength="8388608" />
|
|
<!-- Compliant: maxAllowedContentLength is expressed in bytes, so 8388608 B = 8192 KB = 8 MB -->
|
|
</requestFiltering>
|
|
</security>
|
|
</system.webServer>
|
|
</configuration>
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
* https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/iis/web-config[Web.config] - XML-formatted config file for IIS applications
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
=== Parameters
|
|
|
|
.fileUploadSizeLimit
|
|
****
|
|
_integer_
|
|
|
|
----
|
|
8388608
|
|
----
|
|
|
|
The maximum size of HTTP requests handling file uploads (in bytes)
|
|
****
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|