Filter large requests

Documentos > Code Analysis > Static Analysis Rules > Filter large requests

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: csharp-security/request-length

Language: C#

Severity: Warning

Category: Security

CWE: 400

Description

Do not allow large requests in your controller. This may lead to many resource allocations and may be a vector of attack for Denial of Services attacks. Always keep the request size to a reasonable estimate.

Learn More

CWE-400: Uncontrolled Resource Consumption

Arguments

max-size: Maximum size for requests. Default: 10000000.

Non-Compliant Code Examples

public class MyController : Controller
{
    [DisableRequestSizeLimit]
    public IActionResult MyRequest()
    {
        Console.WriteLine("inside controller");
    }
}

public class MyController : Controller
{
    [RequestSizeLimit(12000000)]
    public IActionResult PostRequest()
    {
        Console.WriteLine("inside controller");
    }
}

Compliant Code Examples

public class MyController : Controller
{
    [RequestSizeLimit(500000)] // request is lower than the max (10000000 bytes)
    public IActionResult MyRequest()
    {
        Console.WriteLine("inside controller");
    }
}