Filter large requests

Metadata

ID: csharp-security/request-length

Language: C#

Severity: Warning

Category: Security

Description

Do not allow large requests in your controller. This may lead to many resource allocations and may be a vector of attack for Denial of Services attacks. Always keep the request size to a reasonable estimate.

Learn More

Non-Compliant Code Examples

public class MyController : Controller
{
    [DisableRequestSizeLimit]
    public IActionResult MyRequest()
    {
        Console.WriteLine("inside controller");
    }
}
public class MyController : Controller
{
    [RequestSizeLimit(12000000)]
    public IActionResult PostRequest()
    {
        Console.WriteLine("inside controller");
    }
}

Compliant Code Examples

public class MyController : Controller
{
    [RequestSizeLimit(500000)] // request is lower than the max (10000000 bytes)
    public IActionResult MyRequest()
    {
        Console.WriteLine("inside controller");
    }
}