S5693 parameter cannot be used to allow maximum for maxRequestLength

Valentijn · July 4, 2024, 7:26am

Hi,

We have some web.config files which have the max for maxRequestLength

<httpRuntime targetFramework="4.8" executionTimeout="600" maxRequestLength="2147483647"/>

This triggers the rule S5693 Allowing requests with excessive content length is security-sensitive

So i set the FileUploadSizeLimit parameter for this rule to 2147483647 but the rule still reports issues.

I looked at the code but the parameter is divided by one kilobyte so you can never set the maximum

RequestsWithExcessiveLengthBase.cs
157: && IsVulnerable(maxRequestLength.Value, FileUploadSizeLimit / OneKilobyte)

Regards,

Valentijn

Colin · July 4, 2024, 8:17am

Hey there.

What version of SonarQube are you using?

Valentijn · July 4, 2024, 8:29am

Version v10.6 (92116)

Julien_HENRY · July 19, 2024, 8:47am

Hi,

I think there is a problem in the unit used between the rule parameter and the Web.config.

The Web.config maxRequestLength property is an Int32 expressed in KB.
Our rule parameter is also an int, but expressed in bytes.

So there is no way to allow 2147483647 KB in our rule.

I think our analyzer should be updated to be consistent with the maxRequestLength unit. This is not trivial as this would imply a migration for existing values.

In the meantime, you can set a lower value in your Web.config (max 2097151), and keep max int in the rule configuration.

sebastien.marichal · July 23, 2024, 12:32pm

Hello @Valentijn,

I have opened a ticket in our backlog to fix the unit issue.

Have a great day!