C# rule S5693: Allowing requests with excessive content length is security-sensitive
This rule has a configurable
fileUploadSizeLimit parameter. The code for the rule appears to take the parameter into account when looking at attribute-based upload limits for both request size and request form size, but not when checking the configuration in
Web.config; the latter sticks to the hardcoded 8 MB limit for both.
Using SonarQube Community Edition, Version 10.1 (build 73491)
<configuration> <system.web> <httpRuntime maxRequestLength="25600" /> <!-- Compliant: maxRequestLength is exprimed in KB, so 25600KB = 25MB --> </system.web> <system.webServer> <security> <requestFiltering> <requestLimits maxAllowedContentLength="26214400" /> <!-- Compliant: maxAllowedContentLength is exprimed in bytes, so 26214400 = 25MB --> </requestFiltering> </security> </system.webServer> </configuration>
fileUploadSizeLimit is set to 35000000, the above snippets are still flagged by the rule.