Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5693

Allowing requests with excessive content length is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure the content length limit is safe here.
    • List of parameters:
      Hide
      • Key: fileUploadSizeLimit
      • Description: The maximum size of HTTP requests handling file uploads (in bytes)
      • Default value: 8000000
      • Type: integer
      • Key: standardSizeLimit
      • Description: The maximum size of regular HTTP requests (in bytes)
      • Default value: 2000000
      • Type: integer
      Show
      Key: fileUploadSizeLimit Description: The maximum size of HTTP requests handling file uploads (in bytes) Default value: 8000000 Type: integer Key: standardSizeLimit Description: The maximum size of regular HTTP requests (in bytes) Default value: 2000000 Type: integer
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C, C++, Cobol, CSS, Flex, Go, HTML, Kotlin, Objective-C, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB6, XML
    • Covered Languages:
      C#, Java, JavaScript, PHP, VB.Net
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Level:
      Syntactic Analysis
    • Analysis Scope:
      Main Sources, Test Sources
    • CWE:
      CWE-400, CWE-770
    • OWASP:
      A6

      Description

      Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in order to prevents DoS attacks.

      Ask Yourself Whether

      • size limits are not defined for the different resources of the web application.
      • the web application is not protected by rate limiting features.
      • the web application infrastructure has limited resources.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • For most of the features of an application, it is recommended to limit the size of requests to:
        • lower or equal to 8mb for file uploads.
        • lower or equal to 2mb for other requests.

      It is recommended to customize the rule with the limit values that correspond to the web application.

      See

        Attachments

          Issue Links

          1.
          JavaScript RSPEC-5694 Language-Specification Active Unassigned
          2.
          PHP RSPEC-6087 Language-Specification Active Unassigned
          3.
          C# RSPEC-6133 Language-Specification Active Unassigned
          4.
          Java RSPEC-6150 Language-Specification Active Unassigned
          5.
          VB.NET RSPEC-6161 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              eric.therond Eric Therond (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated: