codeql/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.qhelp at d3e580fd0ed0b52c531f0bdaa4e17033dd604c1d · github/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<!DOCTYPE qhelp PUBLIC
  "-//Semmle//qhelp//EN"
  "qhelp.dtd">
<qhelp>

  <overview>
    <p>
      The <code>maxRequestLength</code> attribute sets the limit for the input
      stream buffering threshold in KB. Attackers can use large requests to cause
      denial-of-service attacks.
    </p>
  </overview>
  <recommendation>

    <p>
      The recommended value is 4096 KB but you should try setting it as
      small as possible according to business requirements.
    </p>

  </recommendation>
  <example>

    <p>
      The following example shows the <code>maxRequestLength</code>
      attribute set to a high value (255 MB) in a <code>Web.config</code>
      file for ASP.NET:
    </p>

    <sample src="Web.config.ASPNetMaxRequestLength.bad" />

    <p>
      Unless such a high value is strictly needed, it is better to set
      the recommended value (4096 KB):
    </p>

    <sample src="Web.config.ASPNetMaxRequestLength.good" />

  </example>

  <references>

    <li>
      MSDN:
      <a href="https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.httpruntimesection.maxrequestlength?view=netframework-4.8">HttpRuntimeSection.MaxRequestLength Property</a>.
    </li>
  </references>
</qhelp>