csharp:S5693 fileUploadSizeLimit parameter ignored when parsing Web.config

C# rule S5693: Allowing requests with excessive content length is security-sensitive

This rule has a configurable fileUploadSizeLimit parameter. The code for the rule appears to take the parameter into account when looking at attribute-based upload limits for both request size and request form size, but not when checking the configuration in Web.config; the latter sticks to the hardcoded 8 MB limit for both.

Using SonarQube Community Edition, Version 10.1 (build 73491)

        <httpRuntime maxRequestLength="25600" />
        <!-- Compliant: maxRequestLength is exprimed in KB, so 25600KB = 25MB  -->
                <requestLimits maxAllowedContentLength="26214400" />
                <!-- Compliant: maxAllowedContentLength is exprimed in bytes, so 26214400 = 25MB  -->

When fileUploadSizeLimit is set to 35000000, the above snippets are still flagged by the rule.

Hi Andrew! Thank you for bringing this to our attention.
I have reviewed the issue and can confirm that it is a false positive. I have already created an issue in our GitHub repository and also provided a reproducer.
I appreciate the thorough report on the rule side, thanks a lot!


This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.