[RSPEC-5693] Allowing requests with excessive content length is security-sensitive - SonarSource

XML

Word

Printable

Details

Type: Security Hotspot Detection
Status: Active
Resolution: Unresolved
Labels:
- cert
- cwe
- owasp-a6

Message:
Make sure the content length limit is safe here.
List of parameters:
Hide

Key: fileUploadSizeLimit

Description: The maximum size of HTTP requests handling file uploads (in bytes)

Default value: 8000000

Type: integer

Key: standardSizeLimit

Description: The maximum size of regular HTTP requests (in bytes)

Default value: 2000000

Type: integer
Show
Key: fileUploadSizeLimit Description: The maximum size of HTTP requests handling file uploads (in bytes) Default value: 8000000 Type: integer Key: standardSizeLimit Description: The maximum size of regular HTTP requests (in bytes) Default value: 2000000 Type: integer
Default Severity:
Major
Impact:
Low
Likelihood:
High
Default Quality Profiles:

Sonar way
Targeted languages:

ABAP, APEX, C, C++, Cobol, CSS, Flex, Go, HTML, Kotlin, Objective-C, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB6, XML
Covered Languages:

C#, Java, JavaScript, PHP, VB.Net
Remediation Function:
Constant/Issue
Constant Cost:
5min
Analysis Level:

Syntactic Analysis
Analysis Scope:

Main Sources, Test Sources

CWE:
CWE-400, CWE-770
OWASP:
A6

Description

Rejecting requests with significant content length is a good practice to control the network traffic intensity and thus resource consumption in order to prevents DoS attacks.

Ask Yourself Whether

size limits are not defined for the different resources of the web application.
the web application is not protected by rate limiting features.
the web application infrastructure has limited resources.

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

For most of the features of an application, it is recommended to limit the size of requests to:
- lower or equal to 8mb for file uploads.
- lower or equal to 2mb for other requests.

It is recommended to customize the rule with the limit values that correspond to the web application.

See

Owasp Cheat Sheet - Owasp Denial of Service Cheat Sheet
OWASP Top 10 2017 Category A6 - Security Misconfiguration
CWE-770 - Allocation of Resources Without Limits or Throttling
CWE-400 - Uncontrolled Resource Consumption

Attachments

Issue Links

is implemented by

SONARPHP-1108 Rule S5693 should support configuration files

Open

SONARPHP-1109 Rule S5693 should support annotations

Open

SONARJAVA-3679 Rule S5693: Allowing requests with excessive content length is security-sensitive

Closed

SONARPHP-1107 Rule S5693: Allowing requests with excessive content length is security-sensitive

Closed

links to

is implemented by sonar-dotnet/issues/3980

is implemented by SonarJS/issues/1882

(1 links to)

Options

Progress

Sub-Tasks

1.	JavaScript	RSPEC-5694	Active	Unassigned
2.	PHP	RSPEC-6087	Active	Unassigned
3.	C#	RSPEC-6133	Active	Unassigned
4.	Java	RSPEC-6150	Active	Unassigned
5.	VB.NET	RSPEC-6161	Active	Unassigned

Activity

People

Assignee:: Unassigned

Reporter:: Eric Therond (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 09/Jan/20 2:39 PM

Updated:: 17/Mar/21 3:04 PM