csharp:S5693 fileUploadSizeLimit parameter ignored when parsing Web.config

Rules and Languages Report False-positive / False-negative...
,
1

C# rule S5693: Allowing requests with excessive content length is security-sensitive

This rule has a configurable fileUploadSizeLimit parameter. The code for the rule appears to take the parameter into account when looking at attribute-based upload limits for both request size and request form size, but not when checking the configuration in Web.config; the latter sticks to the hardcoded 8 MB limit for both.

Using SonarQube Community Edition, Version 10.1 (build 73491)

<configuration>
    <system.web>
        <httpRuntime maxRequestLength="25600" />
        <!-- Compliant: maxRequestLength is exprimed in KB, so 25600KB = 25MB  -->
    </system.web>
    <system.webServer>
        <security>
            <requestFiltering>
                <requestLimits maxAllowedContentLength="26214400" />
                <!-- Compliant: maxAllowedContentLength is exprimed in bytes, so 26214400 = 25MB  -->
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

When fileUploadSizeLimit is set to 35000000, the above snippets are still flagged by the rule.

3

Hi Andrew! Thank you for bringing this to our attention.
I have reviewed the issue and can confirm that it is a false positive. I have already created an issue in our GitHub repository and also provided a reproducer.
I appreciate the thorough report on the rule side, thanks a lot!

2 Likes
6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.