Metadata

ID: csharp-security/request-length

Language: C#

Severity: Warning

Category: Security

CWE: 400

Description

Do not allow large requests in your controller. This may lead to many resource allocations and may be a vector of attack for Denial of Services attacks. Always keep the request size to a reasonable estimate.

Learn More

Arguments

  • max-size: Maximum size for requests. Default: 10000000.

Non-Compliant Code Examples

public class MyController : Controller
{
    [DisableRequestSizeLimit]
    public IActionResult MyRequest()
    {
        Console.WriteLine("inside controller");
    }
}
public class MyController : Controller
{
    [RequestSizeLimit(12000000)]
    public IActionResult PostRequest()
    {
        Console.WriteLine("inside controller");
    }
}

Compliant Code Examples

public class MyController : Controller
{
    [RequestSizeLimit(500000)] // request is lower than the max (10000000 bytes)
    public IActionResult MyRequest()
    {
        Console.WriteLine("inside controller");
    }
}
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis