CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Insecure configuration for ASP.NET requestValidationMode

Description: Setting 'requestValidationMode' to less than 4.5 disables built-in validations included by default in ASP.NET. Disabling or downgrading this protection is not recommended.

ID: cs/insecure-request-validation-mode

Kind: problem

Severity: warning

Query: ASPNetRequestValidationMode.ql
/**
 * @name Insecure configuration for ASP.NET requestValidationMode
 * @description Setting 'requestValidationMode' to less than 4.5 disables built-in validations
 *              included by default in ASP.NET. Disabling or downgrading this protection is not
 *              recommended.
 * @kind problem
 * @id cs/insecure-request-validation-mode
 * @problem.severity warning
 * @tags security
 *       external/cwe/cwe-016
 */

import csharp

from XMLAttribute reqValidationMode
where
  reqValidationMode.getName().toLowerCase() = "requestvalidationmode" and
  reqValidationMode.getValue().toFloat() < 4.5
select reqValidationMode,
  "Insecure value for requestValidationMode (" + reqValidationMode.getValue() + ")."

The requestValidationMode attribute in ASP.NET is used to configure built-in validation to protect applications against code injections. Downgrading or disabling this configuration is not recommended. The default value of 4.5 is the only recommended value, as previous versions only test a subset of requests.

Recommendation

Always set requestValidationMode to 4.5, or leave it at its default value.

Example

The following example shows the requestValidationMode attribute set to a value of 4.0, which disables some protections and ignores individual Page directives:

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="4.0"/>
  </system.web>
</configuration>

Setting the value to 4.5 enables request validation for all requests:

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="4.5"/>
  </system.web>
</configuration>

References