CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Large 'maxRequestLength' value

Description: Setting a large 'maxRequestLength' value may render a webpage vulnerable to denial-of-service attacks.

ID: cs/web/large-max-request-length

Kind: problem

Severity: warning

Query: ASPNetMaxRequestLength.ql
/**
 * @name Large 'maxRequestLength' value
 * @description Setting a large 'maxRequestLength' value may render a webpage vulnerable to
 *              denial-of-service attacks.
 * @kind problem
 * @problem.severity warning
 * @id cs/web/large-max-request-length
 * @tags security
 *       frameworks/asp.net
 *       external/cwe/cwe-16
 */

import csharp
import semmle.code.asp.WebConfig

from SystemWebXMLElement web, XMLAttribute maxReqLength
where
  maxReqLength =
    web
        .getAChild(any(string s | s.toLowerCase() = "httpruntime"))
        .getAttribute(any(string s | s.toLowerCase() = "maxrequestlength")) and
  maxReqLength.getValue().toInt() > 4096
select maxReqLength, "Large 'maxRequestLength' value (" + maxReqLength.getValue() + " KB)."

The maxRequestLength attribute sets the limit for the input stream buffering threshold in KB. Attackers can use large requests to cause denial-of-service attacks.

Recommendation

The recommended value is 4096 KB but you should try setting it as small as possible according to business requirements.

Example

The following example shows the maxRequestLength attribute set to a high value (255 MB) in a Web.config file for ASP.NET:

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <httpRuntime maxRequestLength="255000" />
  </system.web>
</configuration>

Unless such a high value is strictly needed, it is better to set the recommended value (4096 KB):

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <system.web>
    <httpRuntime maxRequestLength="4096" />
  </system.web>
</configuration>

References